Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to overwrite %eax using buffer overflow?

I know that a program stack looks somewhat like this (from high to low):

   EIP   |   EBP   |   local variables

But where could I find %eax, and the other general registers? Is it possible to overwrite them using a buffer overflow?

Update: In the end, I did not even have to overwrite %eax, because it turned out that the program pointed %eax to the user input at some point.

like image 316
LonelyWebCrawler Avatar asked Nov 03 '14 03:11

LonelyWebCrawler


1 Answers

A register, by definition, is not in RAM. Registers are in the CPU and do not have addresses, so you cannot overwrite them with a buffer overflow. However, there are very few registers, so the compiler really uses them as a kind of cache for the most used stack elements. This means that while you cannot overflow into registers stricto sensu, values overwritten in RAM will sooner or later be loaded into registers.

(In Sparc CPU, the registers-as-stack-cache policy is even hardwired.)

In your schema, EIP and EBP are not on the stack; the corresponding slots on the stack are areas from which these two registers will be reloaded (upon function exit). EAX, on the other hand, is a general purpose register that the code will use here and there, without a strict convention.

like image 121
Thomas Pornin Avatar answered Oct 04 '22 00:10

Thomas Pornin