Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to replace the return address on the stack using a buffer overflow attack

Tags:

x86

assembly

buffer-overflow

For a homework assignment, I am performing a series of buffer overflow attacks. I was given a program to disassemble, the source code in C for a function that improperly calls gets(), and the source code for several other functions that I am supposed to force the program to call. For one of the tasks, I have to:

  • Inject some code that changes a value, then
  • Return to one of the aforementioned methods

The main thing that I don't understand where the program looks in the stack when determining where to return. Where is the return address for a method stored on the stack?

The program was compiled for x86.

like image 874
Kevin Avatar asked Dec 12 '22 21:12

Kevin

1 Answers

What you need to know:

  • EIP is a register that points at the next instruction to execute.

  • When calling a function, the arguments and then EIP (so the called function knows where to return to) are saved on the stack.

  • When the compiler has been told (explicitly or implicitly) to use frame pointers, it then saves the frame pointer (in the EBP register) on the stack (so it can later restore the frame pointer to the value it had on the calling function), and then sets the frame pointer to point to the current top of the stack. This allows accessing easily arguments and local variables from a known point of reference (the frame pointer), and greatly simplifies debugging.

  • Then, space is reserved for local variables, and the function is executed.
  • When returning from the function, the previous frame pointer and instruction pointer are restored.

A function call on x86 looks something like:

                                        ...
int main()                              add  $-0x8,%esp ; alignment
{                                       push $0x2       ; arg 2
        ...                             push $0x1       ; arg 1
        func(1, 2);                     call func       ; function call
        ...                             add  $0x10,%esp ; pop args from stack
}                                       ...

And the called function looks something like:

void func(int arg1, int arg2)           push %ebp       ;\
{                                       mov  %esp,%ebp  ;/ create stack frame
        int local1;                     sub  $0x18,%esp ; reserves space
        ...                             ...
}                                       mov  %ebp,%esp  ;\
                                        pop  %ebp       ;/ destroys frame
                                        ret             ; returns

So, the stack will look similar to:

          :           :
          +-----------+
          : alignment :
          +-----------+
12(%ebp)  |   arg2    |
          +-----------+
 8(%ebp)  |   arg1    |
          +-----------+
 4(%ebp)  |    ret    | -----> return address
          +-----------+
  (%ebp)  |    ebp    | -----> previous ebp
          +-----------+
-4(%ebp)  |  local1   | -----> local vars
          +-----------+
          : alignment :
          +-----------+
          :           :

(Lower addresses are lower on the ASCII-art)

like image 200
ninjalj Avatar answered Dec 28 '22 08:12

ninjalj
Sign in to Comment

Related questions

Why does the 6502 microcontroller not have a arithmetic right shift?
If there is any pausing/sleeping or events in x86 assembly
why we can't move a 64-bit immediate value to memory?
How to get keyboard input with x86 bare metal assembly?
ASM in C gives an error with -std=c99
Assembly: Y86 Stack and call, pushl/popl and ret instructions
Left Shift Overflow on 68k/x86?
Illegal instruction in ASM: lock cmpxchg dest, src
How can I find the current date in intel x86 Assembly?
Difference in jump statements in assembly programming
sequentially-consistent atomic load on x86
in linux, is it normal that there is no null character at the end of file
NEON ASM code running much slower than C code?
How to create an x86 binary with 'fake' instructions in it
How do I use C libraries in assembler?
Calling C code from a bootloader
Delphi 7, strings problems
What is the purpose of the assembly instructions after a function I see with ndisasm?
Converting C code to MIPS (arrays)
Translate Delphi+Assembler CRC32 implementation to C#

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!