Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 27

Thread: Buffer Overflows - Help Understanding EIP and ESP Interaction

  1. #11
    Member
    Join Date
    Jun 2009
    Posts
    74

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Hey all,

    Thanks for the responses to this so far. It's been really helpful. I finally got some time to play with this again tonight and it suddenly all clicked (funny how that happens, no?)

    So I moved onto the pattern_create and pattern_offset part. Now the one thing I really don't understand is when EIP is pointing to 36684335, how does pattern_offset.rb deduce 1787 as a result from that? I can see where it gets 1791 from Ch7C (I replaced the Ch7C with "8Cv9" (the last four letters of the string created by pattern_create.rb) and got 2216 (four bytes from the end of 2220) as I expected) but I don't really see where that memory address fits into the offset tool.

    So the way I understand it so far:

    1. We overflow the buffer w/ a bunch of random junk to make sure it's vulnerable.
    2. Once we know it's vulnerable, we use pattern_create.rb to create a unique pattern and feed it to the app to crash it.
    3. We then search the pattern we made with pattern_offset.rb to find out exactly where EIP is overwritten and where ESP points at that time.
    4. Finally we adjust our exploit so it will overwrite EIP with a JMP ESP instruction to put our evil memory address into EIP which should then execute it.

    I think I've got it almost down, but I'm still unclear on step 3. I'm going to move on though in hopes that it will make sense at the end. If anyone wants to comment feel free
    cd ~
    cd ./fridge
    rm beer
    cd ../bedroom
    more beer

  2. #12
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    pattern_create creates a pattern of a given size such that each sequence of 4 consecutive characters within the pattern occurs only in one location (or offset) within the pattern. This means that when you feed the four characters that overwrite EIP into pattern_offset it can tell you the offset from the start of the pattern created by pattern_create at which those characters are located.

    It basically just provides you a shortcut way to determine which particular characters from the data you send actually overwrite EIP.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #13
    Member
    Join Date
    Jun 2009
    Posts
    74

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Right, but how does it deduce 1787 from a memory address that never appears once in the pattern? That part is a little unclear.

    Anyway, it worked perfectly. I got the reverse shell so I'm moving onto more advanced exploits now. This one was very educational and my gears are already turning re how I could automate this process so I might start scripting some stuff as I move along further.

    I'll post up any little apps I develop to let you guys all play with them
    cd ~
    cd ./fridge
    rm beer
    cd ../bedroom
    more beer

  4. #14
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Quote Originally Posted by ThePistonDoctor View Post
    Right, but how does it deduce 1787 from a memory address that never appears once in the pattern? That part is a little unclear
    That memory address is the representation of four consecutive bytes from the pattern created by pattern_create. EIP is being overwritten with four bytes of data generated by pattern_create, so the memory address for EIP actually comes from within the content of the pattern_create buffer.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #15
    Administrator sickness's Avatar
    Join Date
    Jan 2010
    Location
    Behind the screen.
    Posts
    2,921

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    If you want it to be more clear you can try and deduce when the overwrite occurs manually, that should give you a better understanding.
    Back|track giving machine guns to monkeys since 2007 !

    Do not read the Wiki, most your questions will not be answered there !
    Do not take a look at the: Forum Rules !

  6. #16
    Member
    Join Date
    Jun 2009
    Posts
    74

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Yeah, I think I'm going to do that. I will write a little script to do it myself. Thanks
    cd ~
    cd ./fridge
    rm beer
    cd ../bedroom
    more beer

  7. #17
    Senior Member savioboyz's Avatar
    Join Date
    Oct 2010
    Location
    Nigeria
    Posts
    118

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Love that tutorial , clearly documented with important details included...
    Great Job Lupin
    Saviour Emmauel Ekiko

  8. #18
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Quote Originally Posted by savioboyz View Post
    Love that tutorial , clearly documented with important details included...
    Great Job Lupin
    Thanks for that.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  9. #19
    Member
    Join Date
    Jan 2010
    Posts
    70

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Just to correct a misconception that people derived - the EIP does not contain two halves. The system always behaves as if every non-branching instruction were followed by "eip = eip + [length of previous instruction]". Branch (jmp, call, etc.) calls (when taken) do something like "eip = &my_instructions".

    Also, on non-intel architectures, instructions are generally fixed length. ie: the instruction pointer will always be incremented by a set value. It also is not always called "eip." Even on intel architectures, 64-bit instruction register is called "rip".

  10. #20
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Quote Originally Posted by ThePistonDoctor View Post
    The part I don't understand is when the EIP register is set back to the value of the ESP register. In his example, the EIP points to 77daaf0a which has a JMP ESP instruction. once the CPU jumps to the ESP, is the EIP cleared? Does it just stay empty until it is filled by the ESP's value (in this case 01423908)? If the EIP didn't contain JMP ESP and contained some other arbitrary memory address, once the CPU jumps out of EIP and into the other memory address, what fills EIP, or does it remain empty?
    It might help if you think of the JMP statement as just a simple assignment statement. When you do:

    JMP ESP

    , well all it does is:

    EIP = ESP

    There's no actual "jumping" going on per se (it's not like there's mechanical gears moving around!), you're just changing the value of the register which decides what instruction to execute next. So the next time the CPU does a cycle and retrieves an instruction from code memory, it will look at the address pointed to by the EIP register.

    (I've only every done assembler on microcontrollers so I'm open to correction here if things are different for big PC's).
    Last edited by Virchanza; 12-21-2010 at 10:13 PM.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Replies: 0
    Last Post: 11-29-2010, 06:34 AM
  2. A question about buffer overflows...
    By drakoth777 in forum OLD Pentesting
    Replies: 2
    Last Post: 03-24-2009, 08:22 PM
  3. Heap overflows
    By compaq in forum OLD Newbie Area
    Replies: 2
    Last Post: 12-06-2008, 01:04 AM
  4. Stack Overflows using Python
    By Pako_Guitar in forum OLD Programming
    Replies: 0
    Last Post: 10-01-2008, 01:18 PM
  5. Aireplay-ng overflows my IPW3945? Possible?
    By DraveThe in forum OLD Newbie Area
    Replies: 0
    Last Post: 01-12-2008, 08:33 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •