However, the value 0xBFFFF900 is loaded into ebp rather than the correct value of
0xBFFFF9F8. When bar later returns, its epilogue code first transfers ebp to esp, causing
esp to point into your buffer at Next ebp. Then it pops Next ebp into ebp, which is useful
if you want to create a chained frame-faking sequence, because again you control
ebp. The last part of bar()??™s prologue, the ret instruction, pops the top value on the
stack, Next eip, which you control, into eip and you gain control of the application.
Return to libc Defenses
Return to libc exploits can be difficult to defend against because unlike with the stack
and the heap, you cannot mark a library of shared functions as nonexecutable. It defeats
the purpose of the library. As a result, attackers will always be able to jump to and execute
code within libraries. Defensive techniques aim to make figuring out where to
jump difficult. There are two primary means for doing this. The first method is to load
libraries in new, random locations every time a program is executed. This may prevent
exploits from working 100 percent of the time, but brute-forcing may still lead to an
exploit, because at some point the library will be loaded at an address that has been used
in the past.
Pages:
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832