Any actions that result in overwriting the saved return address by necessity overwrite
the saved frame pointer, which means that when the function returns, you control both
eip and ebp. Frame faking works when a future leave instruction loads the corrupted
ebp into esp. At that point you control the stack pointer, which means you control
where the succeeding ret will take its return address from. Through frame faking, control
of a program can be gained by overwriting ebp alone. In fact, in some cases, control can
be gained by overwriting as little as 1 byte of a saved ebp, as shown in Figure 18-5, in
which an exploitable function foo() has been called by another function bar(). Recall
that many copy operations terminate when a null byte is encountered in the source
memory block, and that the null byte is often copied to the destination memory block.
The figure shows the case where this null byte overwrites a single byte of bar()??™s saved
ebp, as might be the case in an off-by-one copying error.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
474
Figure 18-5
One-byte
overwrite of ebp
in a frame faking
exploit
The epilogue that executes as foo() returns (leave/ret) results in a proper return to
bar().
Pages:
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831