If you have spent any time at all developing stack buffer overflowexploits, you knowthat a
reliable return address is essential for transferring control to your shellcode.On Linux systems,
the variable-size padding block causes all things placed on the stack afterwards,
including stack-based buffers, tomove higher or lower in the stack depending on the size
of the padding. The result is that a return address that successfully hits a stack-allocated
buffer when the padding size is zero may miss the buffer completely when the padding
size is 8192 because the buffer has been lifted to an address 8192 bytes lower in stack
memory space. Similar effects can be observed when a program??™s environment changes
from one execution to another, or when a program is executed with different commandline
arguments (different in number or length). The larger (or smaller) amount of space
required to house the environment and command-line arguments results in a shift of
every item allocated lower in the stack than the argument and environment strings.
Working with a Padded Stack With some understanding of why variables may
move around in the stack, let??™s discuss how to deal with it when writing exploits. Here are
some useful things to know:
??? Locating a jmp esp or other jump to register is your best defense against a shifting
stack, including ASLR-associated shifts.
Pages:
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823