7

It appears that a common exploit trick is to use stack overflow to overwrite the instruction pointer such that it points to a jmp esp instruction somewhere in the code segment which then executes the arbitrary code of the attacker's choice.

However, I have a hard time understanding what use legitimate programs (which to my understanding are usually not self-modifying and have all of their executable code stored in the code segment) would have in including such jmp esp instructions in the first place.

1110101001
  • 231
  • 1
  • 5
  • 3
    The instruction `jmp esp` is encoded as `FF E4`. You don’t need to find an existing `jmp`, you just need to find these bytes in the middle of any other instruction. This is the basis for a lot of exploit techniques, notably return oriented programming (ROP). – David Mar 29 '18 at 22:39
  • 1
    @David Ah that makes sense and seems obvious in retrospect. Feel free to post that as an answer. – 1110101001 Mar 29 '18 at 22:41

1 Answers1

6

The instruction jmp esp is encoded as FF E4. It’s not necessary to find an actual jmp instruction, just those bytes in the middle of any other code or data.

This is the basis for return oriented programming (ROP) and these small sequences of useful instructions are often called “ROP gadgets”.

Note this particular technique is easily broken by a non-executable stack. Requiring an executable stack is quite rare (outside specific cases like a JIT compiler) so this is a simple and effective mitigation. To get round this there are techniques like return-to-libc which chain a number of these small ROP gadgets to build a longer sequence of instructions.

David
  • 714
  • 3
  • 11