1

Looking at a few basic stack-based buffer overflows, I'm confused as to the difference the caller's ebp plays in a basic return address overwrite vs an off-by-one ebp overwrite.

In the return address overwrite, the goal is to smash the stack enough to overwrite the return address and therefore control eip.

In the off-by-one attack, the LSB of the caller's ebp is overwritten. This forces ebp to pop, and the esp is moved to a location within the attacker-controlled buffer, which elicits control of the return address and, therefore `eip.

My confusion stems from the behaviour of ebp. In the basic return address overwrite, it doesn't matter that we overwrite the caller's ebp with junk bytes, but ebp's value needs to be coherent in the off-by-one attack. How does the function epilogue work in the basic buffer overflow case?

mov esp, ebp 
pop ebp
retn
Improve this question

1 Answer 1

Reset to default
1
+100

In a basic return address overwrite, as you said you're able to overwrite ret directly so only retn matters in the instructions of function epilogue.

In an off-by-one ebp overwrite apparently you know you can't overwrite ret, but you can pivot the stack to somewhere user controlled.
In this case attacker goes through two function epilogue at least to gain control.

  1. off-by-one ebp overwrite

    mov esp, ebp
pop ebp          ; now ebp is partially overwriten
retn

  2. pivot stack to controlled area. 

    mov esp, ebp     ; now stack(esp) is moved to controlled area.
pop ebp          ; controlled
retn             ; controlled --> gain eip control
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

In the basic buffer overflow we completely overwrite ebp but that doesn't cause a pivot to a garbage address. What is it I'm not understanding about the difference?
Stack pivot have to be done by going through twice function epilogue. and in a basic return address overflow you gain eip control in one overflow, the stack remains unchanged.
Only ebp overwrited do not cause stack changed, overwrited ebp must be restored to esp, that means twice function epilogues are needed.
So if I have two functions, the second overwriting LSB of ebp, we won't gain eip until it returns normally via the first epilogue thensforth proceeding to continue until ebp is restored from the caller's [function] epilogue?
yes, and in practice this trick is usually not for ret overwrite but for other like GOT overwrite.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.