If eip points into either the stack or the heap, you
need to determine whether you can inject code into the location referenced by eip. If so,
you can probably build a successful exploit. If not, then you need to determine why eip
is pointing at data and whether you can control where it points, potentially redirecting
eip to a location containing user-supplied data. If you find that you have complete control
over the contents of eip, then it becomes a matter of successfully directing eip to a
location from which you can control the program.
General Register Analysis If you haven??™t managed to take control of eip, the
next step is to determine what damage you can do using other available registers. Disassembly
of the program in the vicinity of eip should reveal the operation that caused the
program crash. The ideal condition that you can take advantage of is a write operation to
a location of your choosing. If the program has crashed while attempting to write to
memory, you need to determine exactly how the destination address is being calculated.
Each general-purpose register should be studied to see if it (a) contributes to the destination
address computation, and (b) contains user-supplied data. If both of these conditions
hold, it should be possible to write to any memory location.
Pages:
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809