The challenge to generating
a successful exploit is determining the exact address at which system() resides, which is
dependent on where the C library is loaded at program startup. Traditional return to
libc exploits were covered in Chapter 8. Several advanced return to libc exploits are covered
in Nergal??™s outstanding article in Phrack 58 (see ???References???). Of particular interest
is the ???frame faking??? technique, which relies on compiler-generated function return
code, called an epilogue, to take control of a program after hijacking the frame pointer
register used during function calls.
Chapter 18: From Vulnerability to Exploit
473
PART IV
NOTE Typical epilogue code in x86 binaries consists of the two instructions
leave and ret. The leave instruction transfers the contents of ebp into esp,
and then pops the top value on the stack, the saved frame pointer, into ebp.
On x86 systems, the ebp register serves as the frame pointer and its contents are often
saved on the stack, just above the saved return address, at the start of most functions (in
the function??™s prologue).
NOTE Typical x86 prologue code consists of a push ebp to save the caller??™s
frame pointer, a mov ebp, esp to set up the new frame pointer, and finally a
stack adjustment such as sub esp, 512 to allocate space for local variables.
Pages:
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830