You could closely examine a
disassembly listing of the exploitable program for the proper instruction, or you could
scan the binary executable file for the correct sequence of bytes. The second method is
actually much more flexible because it pays no attention to instruction and data boundaries
and simply searches for the sequence of bytes that form your desired instruction.
David Litchfield of NGS Software created a program named getopcode.c to do exactly
this. The program operates on Linux binaries and reports any occurrences of a desired
jump or call to register instruction sequence. Using getopcode to locate a jmp edi in a
binary named exploitable looks like this:
# ./getopcode exploitable "jmp edi"
GETOPCODE v1.0
SYSTEM (from /proc/version):
Linux version 2.4.20-20.9 (bhcompile@stripples.devel.redhat.com) (gcc version
3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #1 Mon Aug 18 11:45:58 EDT 2003
Searching for "jmp edi" opcode in exploitable
Found "jmp edi" opcode at offset 0x0000AFA2 (0x08052fa2)
Finished.
What all this tells us is that, if the state of exploitable at the time you take control of eip
leaves the edi register pointing at your shellcode, then by placing address 0x08052fa2
into eip you will be bounced into your shellcode.
Pages:
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813