1

Sorry if this post is in the wrong section I'm fairly new to the security field and I am new to stackexchange if this post is in the wrong section would be great if it was moved for me,also sorry if similar questions have been asked before which they have but I couldn't find an answer that clears things up for me.I digress.

I have been studying buffer overflows for the past few days and I have come across a tutorial a link!

if you watch at the very end the attacker puts some random characters into the buffer until he/she hits the return address the program gives a seg fault,so he/she next inserts random characters followed by an address( which is the memory address of the JMP ESP instruction inside the dll attached to the program) followed by the payload or shellcode.

so my question is why and how does this attack work since he/she is placing the shellcode after the return address and not in the buffer space like usual buffer overflow attacks on 32 bit machines. In other attacks the shellcode would be placed inside the buffer space with no ops preceding it,the return address would be overwritten to jump to an address inside the buffer and the shellcode would eventually be executed.

In this example as mentioned the shellcode is after the return address,how would this work? Inside the dll there is a asm__(JMP ESP) so the return address will first go to that memory location of where that instruction is located in the dll then it will execute the JMP ESP instruction,but where is the ESP pointing wouldn't the ESP be pointing to the return address at this stage or even the EBP?

sorry if I haven't explained this question very well,asking questions isn't my strong suit.

irishmaniac
  • 11
  • 1
  • I think your question looks like [this one](https://security.stackexchange.com/questions/182446/buffer-overflow-why-does-the-esp-register-change-its-value-after-access-violati/182473#182473) I had answered a while back. I posted the link in case it might be useful to clear some things out. – game0ver Dec 05 '18 at 01:14
  • @game0ver "Now, when a function returns (most of the times using RET instruction) it pops EIP and also performs: add esp, 4. In this way ESP will point to the last parameter pushed on the stack when the function was called" I think this may answer it,so correct me if I'm wrong what is happening is when return gets called ESP will point to the last param pushed onto the stack and since we are jumping to ESP the control of execution will continue to execute there and eventually get to our shellcode? so the EIP will continue to increment until our shellcode is executed? – irishmaniac Dec 05 '18 at 18:02
  • Since shellcode is part of your input (_which input in many cases is the arguments stored on the stack_), when the function return `ESP` will point to those arguments and thus to your shellcode. So by making `EIP` point to a `JMP ESP` instruction you force the execution of the shellcode. What happens then depends on what the shellcode does. – game0ver Dec 05 '18 at 20:44
  • **But** `ESP` is not always the case. There are situations where you may have control of another register, so you'll want to jump to this register instead. Also if you have enough stack space you may jump directly on a stack address **but** due to modern security mitigations this way is not as reliable and will usually fail. – game0ver Dec 05 '18 at 20:46
  • @game0ver that makes sense,just a quick follow up,I overthink things too much but as you said the shellcode will be the argument for the program and the ESP will point to that argument but what about the rest of the arguments for example the random string of "AAAAABBBB...." and the return address? they are also in the arguments so will these be ignored? how so? – irishmaniac Dec 06 '18 at 13:33
  • The other arguments won't be ignored - they are also stored on the stack. Lets say that your input will contain "AAAA...BBB...Shellcode..." etc... This input will be stored on the stack and if it's bigger than your local buffers (_which is the case in a stack overflow_) it will overwrite stored registers and arguments if exist. – game0ver Dec 06 '18 at 17:56
  • yes now I think I get it "AAA.BBB...... will be written in the buffer we then overwrite the return address and then overwrite the arguments memory of the stack that will be the region overwrote by the shellcode and since the ESP is pointing the arguments the shellcode will be executed? – irishmaniac Dec 06 '18 at 20:03
  • Yes exactly, that's why you want to make EIP point to a JMP ESP instruction. Also have in mind that in the process also other registers might also be overwritten which is also useful in some cases. – game0ver Dec 06 '18 at 20:10
  • thanks game0ver took me a while to figure out but you got me there.thanks! – irishmaniac Dec 06 '18 at 20:34
  • No problem! Glad to help! – game0ver Dec 06 '18 at 21:29

0 Answers0