ret pops 4 (or 8) bytes into EIP, leaving ESP pointing to the payload that directly follows.īut you don't know what value ESP will have at that point, because of stack ASLR and because a different depth of call stack leading up to this point could change the address. Your exploit payload ends up on the stack because you're overflowing a buffer on the stack, and this is how you gain control of the return address as well.ĮSP points directly to the start of your payload (after execution of the ret in the function you're attacking) because you put the payload right after the 4 bytes that overwrite the return address on the stack. ![]() ![]() How is this supposed to work trough reboots or in different computers? How does he know ESP points to his shellcode? Why ESP points exactly there? Shouldn't it point to the end of his shellcode instead? This makes sense, but Wouldn't be possible and easier to directly jump into the stack since we control EIP? (We are assuming ASLR and DEP are disabled of course). Do not forget, that the address must not contain bad characters! We have to find a JMP ESP or CALL ESP instruction. ESP points to the beginning of the C part of our buffer. We have to find a way to jump to our buffer to execute our code. In this step we have to check the registers and the stack. ![]() So, I was reading this writeup about an exploit in vulnserver (for those who don't know it, vulnserver is a program designed with flaws in mind, this is, to practice exploitation techniques) Firstly, I'm sorry if this post doesn't fit exactly here, or may be fit better in RE.
0 Comments
Leave a Reply. |