Reputation: 21
The art of exploitation - exploit_notesearch.c
i've got a question regarding the exploit_notesearch program.
This program is only used to create a command string we finally call with the system() function to exploit the notesearch program that contains a buffer overflow vulnerability. The commandstr looks like this: ./notesearch Nop-block|shellcode|repeated ret(will jump in nop block).
Now the actual question: The ret-adress is calculated in the exploit_notesearch program by the line:
ret = (unsigned int) &i-offset;
So why can we use the address of the i-variable that is quite at the bottom of the main-stackframe of the exploit_notesearch program to calculate the ret address that will be saved in an overflowing buffer in the notesearch program itself ,so in an completely different stackframe, and has to contain an address in the nop block(which is in the same buffer).
Upvotes: 1
Views: 1878
Answers (3)
Reputation: 13
Because we subtract, UP. Don't forget, the stack is backwards...and that's okay. We subtract to go up into newer programs. The lower the memory in the stack, the older the program is...
Upvotes: 0
Reputation: 3544
that will be saved in an overflowing buffer in the notesearch program itself ,so in an completely different stackframe
As long as the system uses virtual memory, another process will be created by system() for the vulnerable program, and assuming that there is no stack randomization,
both processes will have almost identical values of esp (as well as offset) when their main() functions will start, given that the exploit was compiled on the attacked machine (i.e. with vulnerable notesearch).
The address of variable i was chosen just to give an idea about where the frame base is. We could use this instead:
unsigned long sp(void) // This is just a little function
{ __asm__("movl %esp, %eax");} // used to return the stack pointer
int main(){
esp = sp();
ret = esp - offset;
//the rest part of main()
}
Because the variable i will be located on relatively constant distance from esp, we can use &i instead of esp, it doesn't matter much.
It would be much more difficult to get an approximate value for ret if the system did not use virtual memory.
Upvotes: 3
Reputation: 119
the stack is allocated in a way as first in last out approach. The location of i variable is somewhere on the top and lets assume that it is 0x200, and the return address is located in a lower address 0x180 so in order to determine the where about to put the return address and yet to leave some space for the shellcode, the attacker must get the difference, which is: 0x200 - 0x180 = 0x80 (128), so he will break that down as follows, ++, the return address is 4 bytes so, we have only 48 bytes we left before reaching the segmentation. that is how it is calculated and the location i give approximate reference point.
Upvotes: 0
Related Questions
- Buffer overflow assistance
- Buffer overflow exploit
- can you identify any vulerabilty in this C code
- Finding stack buffer overflows
- Hacking - The Art of Exploitation: debugging buffer overflow example
- linux buffer overflow - Art of Exploitation To Old?
- Hacking Challenge - locating vulnerability in the code
- Stack Overflow Exploit in C
- Stack-based overflow code from Hacking: The Art of Exploitation
- Buffer overflow: writing code to stack and executing there