Graphics Programs Reference
In-Depth Information
called the NOP sled, that can assist with this difficult chicanery.
NOP
is an
assembly instruction that is short for
no operation
. It is a single-byte instruction
that does absolutely nothing. These instructions are sometimes used to waste
computational cycles for timing purposes and are actually necessary in the
Sparc processor architecture, due to instruction pipelining. In this case, NOP
instructions are going to be used for a different purpose: as a fudge factor.
We'll create a large array (or sled) of these NOP instructions and place it
before the shellcode; then, if the EIP register points to any address found in
the NOP sled, it will increment while executing each NOP instruction, one at
a time, until it finally reaches the shellcode. This means that as long as the
return address is overwritten with any address found in the NOP sled, the EIP
register will slide down the sled to the shellcode, which will execute properly.
On the
x
86 architecture, the NOP instruction is equivalent to the hex byte
0x90. This means our completed exploit buffer looks something like this:
NOP sled
Shellcode
Repeated return address
Even with a NOP sled, the approximate location of the buffer in memory
must be predicted in advance. One technique for approximating the memory
location is to use a nearby stack location as a frame of reference. By subtract-
ing an offset from this location, the relative address of any variable can be
obtained.
From exploit_notesearch.c
unsigned int i, *ptr, ret, offset=270;
char *command, *buffer;
command = (char *) malloc(200);
bzero(command, 200); // Zero out the new memory.
strcpy(command, "./notesearch \'"); // Start command buffer.
buffer = command + strlen(command); // Set buffer at the end.
if(argc > 1) // Set offset.
offset = atoi(argv[1]);
ret = (unsigned int) &i - offset; // Set return address.
In the notesearch exploit, the address of the variable
i
in
main()
's stack
frame is used as a point of reference. Then an offset is subtracted from that
value; the result is the target return address. This offset was previously deter-
mined to be 270, but how is this number calculated?
The easiest way to determine this offset is experimentally. The debugger
will shift memory around slightly and will drop privileges when the suid
root notesearch program is executed, making debugging much less useful
in this case.
