问题
When writing buffer overflow exploit, I understand that I'll need to input an array of length (address_of_return_address - address_of_buffer). And the array needs to be filled with the address of the shellcode. So that when my input array overflows, it overwrites the saved return address with the address of the shellcode.
I think since the shellcode will be stored above the saved return address on the stack, its address should be address_of_return_address + the distance to the beginning of the shellcode.
Am I on the right track? If so, how should I figure out the distance between the saved return address and the distance to the beginning of the shellcode using GDB?
回答1:
You usually don't need to "figure out" the address of the shellcode. You overflow the buffer with a set string and work out the offset. Say
AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC
where BBBB overwrites EIP (the next instruction address) and CCCC drops in where the ESP register is pointing.
You need to find an instruction that would continue execution at the shellcode, which you can insert where CCCC begins. Such as the JMP ESP instruction. This needs to be static (e.g. no ASLR) and the address should not contain any "bad" characters, such as \x00 which may terminate the buffer.
So process is:
- Buffer is overflowed with
A's. - EIP is now pointing at your located
JMP ESPinstruction. JMP ESPis executed by the processor - asESPis pointing at your shellcode, execution continues here.
You may need some extra padding on your shellcode at the start with e.g. NOPs (\x90) to allow for any expansion from decoding if you are using an encoded payload. However, some AVs and IDS's will detect the signature of many NOPs together so it might be better for the processor to do busy work instead to prevent detection.
That is the usual method, although it all depends if there is space for your payload and if you manage to locate it in a similar manner to the above. Techniques such as NOP sleds can be used to make locating payloads easier in case you need to write them elsewhere.
来源:https://stackoverflow.com/questions/28716669/write-buffer-overflow-exploit-how-to-figure-out-the-address-of-the-shellcode