As discussed in previous chapters, injecting the
exact address of your shellcode into eip can lead to unreliable results since your
shellcode maymove around in memory. When the address of your shellcode appears in
a CPU register, you gain the opportunity to do an indirect jump to your shellcode. Using
a stack-based buffer overflow as an example, you know that a buffer has been overwritten
to control a saved return address. Once the return address has been popped off the
stack, the stack pointer continues to point to memory that was involved in the overflow
and which could easily contain your shellcode. The classic technique for return address
specification is to overwrite the saved eip with an address that will point to your
shellcode so that the return statement jumps directly into your code. While the return
addresses can be difficult to predict, you do know that esp points to memory that contains
your malicious input, because following the return from the vulnerable function,
it points 4 bytes beyond the overwritten return address. A better technique for gaining
reliable control would be to execute a jmp esp or call esp instruction at this point.
Reaching your shellcode becomes a two-step process in this case.
Pages:
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811