The first step is to overwrite
the saved return address with the address of a jmp esp or call esp instruction.
When the exploitable function returns, control transfers to the jmp esp, which immediately
transfers control back to your shellcode. This sequence of events is detailed in
Figure 18-3.
A jump to esp is an obvious choice for this type of operation, but any register that happens
to point to your user-supplied input buffer (the one containing your shellcode) can
be used. Whether the exploit is a stack-based overflow, a heap overflow, or a format string
exploit, if you can find a register that is left pointing to your buffer, you can attempt to vector
a jump through that register to your code. For example, if you recognize that the esi
register points to your buffer when you take control of eip, then a jmp esi instruction
would be a very helpful thing to find.
Figure 18-3
Bouncing back to
the stack
NOTE The x86 architecture uses the esi register as a ???source index??? register
for string operations. During string operations, it will contain the memory
address from which data is to be read, while edi, the destination index, will
contain the address at which the data will be written.
The question of where to find a useful jump remains.
Pages:
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812