Overflowing a stack in theory.. and assembly -
assuming x86 scheme no aslr i'd inquire following;
1) theory says when execute stack overflow attack, value pointed ebp register overwritten new homecoming address too.
now, since never go caller function don't need ebp's original value restore previous stack frame nevertheless, ebp register must point somewhere @ times. how ebp set after eip register starts pointing our new shellcode? more specifically, of 2 assembly instructions (leave-ret) induces farther microinstruction restores ebp value?
2) lastly not least, inquire how create sure in occasions our shellcode needs force couple of values on stack, these values won't overwrite part of shellcode? in other words, how can shellcode generated variables placed before start of shellcode , instance not somewhere in between?
thank in advance.
in reply part 2 of question: depending on syscall making, may have set value esp (as arg array). if that's end of shellcode fine. however, if there more shell code , happen push and esp happens point somewhere in rest of shellcode might in problem (because @ point writing on own instructions). simple prepare sub $0x99, %esp @ origin of shellcode.
edit (in response comments)
perhaps misunderstood question. when said 'stack overflow' assumed meant buffer overflow. if assumed correctly read on. assuming talking classic smashing-the-stack sort of exploit (which seems case based on image linked to), filling buffer nop sled, shellcode , overwriting homecoming pointer. shell code "position independent code". means series of instructions can executed regardless of current state of registers, flags etc.
normally, (this way link posted depicts it) fill buffer nops, followed shellcode, , homecoming address points somewhere in tho nop sled. when ret instruction executed, address in %esp poped %eip , %esp incremented 4 (in x86). problem if shellcode has several push instructions, has side effect of decrementing %esp. if have plenty of them and shellcode way @ end (i.e. adjacent homecoming address) may end overwriting shellcode push instructions.
so, reply question. no, there no 'mechanism' separate shellcode 'its stack'. because there no stack per-se shellcode. remember, position independent code. must able run regardless of machine state. stack management needs happen must performed shellcode itself. why suggested sub $0x99, %esp @ begning of shellcode if have many push statements in code. alternative create sure there sufficient space between homecoming address (which %esp-4 pointing at) , shellcode.
assembly stack-overflow buffer-overflow shellcode
No comments:
Post a Comment