Page 1 of 3 123 LastLast
Results 1 to 10 of 27

Thread: Buffer Overflows - Help Understanding EIP and ESP Interaction

  1. #1
    Member
    Join Date
    Jun 2009
    Posts
    74

    Default Buffer Overflows - Help Understanding EIP and ESP Interaction

    All,

    As some of you know from my last thread I have been working w/ Lupin's tutorials on buffer overflow exploits. In the first tutorial located here: The Grey Corner: Stack Based Windows Buffer Overflow Tutorial Lupin details how the EIP and ESP registers interact:

    A little more detail about the EIP register is probably required here. The CPU decides which instruction to execute next by reading the value of the EIP register and executing the instruction that is located at that memory address. For example if the EIP register contains the address 0x77daaf0a, and that memory address stores the codes \xff\xe4 (which are the machine language opcodes for the assembly instruction JMP ESP) then the CPU will execute that instruction, causing it to "jump" execution to the memory location stored in the ESP register. The value of the EIP register will then be set to the value of the ESP register, and the CPU will execute the instruction located in the memory address referenced by the ESP register. So, if the ESP register contained the value 0x01423908, a JMP ESP machine instruction would then cause EIP to be set to 0x01423908, and whatever machine language instruction was located at the memory address 0x01423908 would be executed next.
    The part I don't understand is when the EIP register is set back to the value of the ESP register. In his example, the EIP points to 77daaf0a which has a JMP ESP instruction. once the CPU jumps to the ESP, is the EIP cleared? Does it just stay empty until it is filled by the ESP's value (in this case 01423908)? If the EIP didn't contain JMP ESP and contained some other arbitrary memory address, once the CPU jumps out of EIP and into the other memory address, what fills EIP, or does it remain empty?

    If it remains empty is this where the ability to overwrite and redirect execution of the program comes from? In other words, we overwrite EIP with our ASCII equivalent of the address we want the CPU to go to (or a jump instruction to ESP which in turn contains our desired mem address), via the buffer overflow (in this case a malformed HTTP GET request), is that correct?

    Furthermore, let's say we have written some kind of exploit that requires the user to reboot in order for it to work to our advantage. If we were to overwrite the EIP with a memory address containing a JMP EIP instruction, is it possible to skip the ESP register and create an instruction loop to crash the application (or possibly do other nasty things like freeze the computer, forcing the user to reboot and completing our other exploit)? Just thinking outside the box here.

    Anyway my main goal w/ this post is to understand how the EIP and ESP registers work together and whether they are dependent on one another.

    Thanks
    Last edited by ThePistonDoctor; 12-10-2010 at 05:51 AM.

  2. #2
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    I don't have my reference manuals nearby, but dig up some good assembly programming basics guides they should help.

    I'm probably wrong, considering my day, but:

    We control EIP which is the next instruction pointer and tell it where to point. After it has pointed where we tell it to, the CPU resets EIP to the next instruction in the list (which is, in this case, jump to the location stored in ESP).

    ESP is the stack pointer, and points to the highest (lowest?) point on the stack. That we are jumping to ESP is irrelevant (normally I work it so I can jmp eax, and it interacts the same way). As far as EIP is concerned, it's just one more instruction to execute and it just happens to be stored in the ESP.

    Anyway, that might be absolute garbage, but it's a start. Read an assembly book, or wait for someone with a guide handy to refer to.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  3. #3
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    If we were to overwrite the EIP with a memory address containing a JMP EIP instruction, is it possible to skip the ESP register and create an instruction loop to crash the application (or possibly do other nasty things like freeze the computer, forcing the user to reboot and completing our other exploit)? Just thinking outside the box here.
    I don't know the code . but if you can find it to turn of kernel debugger(flag,switch,maybe pushf,popf...) then just call ,pass a int 3(debugg interupt), that should blue screen the computer)

  4. #4
    Member
    Join Date
    Jun 2009
    Posts
    74

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Thanks for the response. I am coming into this with 0 knowledge of assembly language, so getting this far in only one day was a pretty good feeling. By the same token I am a stickler for not moving forward in a project until I understand COMPLETELY what I'm doing so I haven't finished the BoF exploit in the tutorial yet. I am now at the point where I'm using the pattern_offset.rb script to find offsets and the exact address where EIP is overwritten.

    I experimented w/ the code a little bit myself, changing the
    Code:
    buffer = "GET " + "\x41" * 2220 + " HTTP 1.1/\r\n\r\n"
    line to things like
    Code:
    buffer = "GET " + "\x41" * 1787 + " HTTP 1.1/\r\n\r\n"
    (based on reading the security advisory; as I expected the app passes w/ no violations in the debugger w/ that code) and
    Code:
    buffer = "GET " + "\x41" * 1790 + " HTTP 1.1/\r\n\r\n"
    which put 41 into the 4th byte of EIP. I attempted to overwrite it myself manually in this way but didn't succeed so I decided to try the patter_create.rb and pattern_offset.rb tools to do it, but I don't quite understand the pattern_offset.rb tool yet. I realize what it's doing but I don't know where the EIP register address comes into play or where the tool is getting 1787 from when I plug in that memory address.

    Anyway, I'll keep reading, maybe some others can comment in the mean time.

  5. #5
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    The EIP (Extended Instruction Pointer) register always points to the memory address from which the CPU will try and run its next instruction - thats the function of this register, it controls what code the CPU runs. The register will never be empty during normal operation of a program. The ESP (Extended Stack Pointer) register points to the current location in memory that refers to the top of the stack - which is a memory structure used primarily to make use of functions more efficient.

    In particular, when loading a function we place a stack frame onto the stack which contains, amongst other things, a return address that the CPU should load into the EIP register once the function returns and the program needs to continue on from where it left off. The RET assembly instruction is used to actually accomplish this process when the function is done. When run the RET instruction takes the memory address from the top of the stack and "pops" it into the EIP register to allow execution to continue from that address in memory. ("Pop"ing an entry from the stack refers to removing it from the top of the stack and placing it into a CPU register.)

    In the case of a stack based buffer overflow, this return pointer on the stack is overwritten with user supplied data, and instead of EIP being loaded with the address of the next location in memory after the previous function was called, EIP instead gets loaded with a user supplied value, provided in a particular section of data sent to the program. After this happens, the ESP register also points to the data in memory located immediately after the return pointer overwrite address - this is because the RET instruction used to set the value of EIP changes the stack pointer (ESP) to point to the next entry on the stack (it essentially adds 4 bytes to the ESP register). This is why a JMP ESP instruction will almost always point to a location within the user supplied buffer when used as a trampoline instruction for simple stack based overflows.

    As to your reference to a JMP EIP instruction - these don't exist, and wouldn't make sense because the EIP register already contains the address of code to be executed by the CPU. JMP EIP would be redundant. You can check out a X86 instruction set reference to see what commands do exist. Id also recommend you read a few more of my buffer overflow tutorials, as they do get more advanced as they proceed and will provide more detail about this kind of thing.

    Also, Im in the process of writing a new, more detailed series of articles on this subject, so you might also want to look out for that. I dont have an ETA for that as Im actually writing them on commission, but I will have links on my blog and perhaps here when they are ready.

    Did that clear things up for you?

    Edit: Thats in response to the first post, but maybe it clears up the question in the second post too?
    Last edited by lupin; 12-10-2010 at 07:28 AM. Reason: Edit...
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  6. #6
    Member
    Join Date
    Jun 2009
    Posts
    74

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Awesome, thanks Lupin. Let me soak that up for a couple days and keep working on this. It's been very helpful so far.
    cd ~
    cd ./fridge
    rm beer
    cd ../bedroom
    more beer

  7. #7
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Upon re-reading my outline of the purpose of the EIP register above, I think it could do with some clarification in line with the original question, especially regarding the confusion around whether the register could ever have no value.

    The EIP register is used to determine the address of what code the CPU will run next. It essentially points to an address in memory, from which the CPU will read data that it will interpret as instructions to perform. The instructions are in machine code, (e.g. the bytes \xff\xe4) which Ollydbg will disassemble for you so you can read it as assembly instructions (e.g. JMP ESP).

    Now, while there are a number of instructions that will specifically change the value of the EIP register when they are executed (e.g. CALL, RET, JMP, etc), if an instruction is run that does not specifically change this register the EIP register will still change to point to the next instruction in memory once it has finished executing the current one. Those instructions that specifically change the value of the EIP register are what allow you to implement programming structures such as branching, loops, etc, but if they are not used the default mode of the CPU is to just execute one instruction after another - and the EIP register automatically increments itself to always point to the current instruction to facilitate this.

    Be aware that the instructions taken from memory and executed by the CPU will be of variable length, so the incrementing of the EIP register will not use a consistent value. I'll also add that this information is specific to the X86 32 bit CPU...
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  8. #8
    Junior Member
    Join Date
    Aug 2010
    Posts
    64

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    In this thread I've read that EIP is the current instruction and the next instruction.

    So I have a question to get clarification.

    here is a made up set of addresses

    0x0001
    0x0002
    0x0003

    Now, when the CPU is running through the code and it is currently reading 0x0002, What will EIP be?

  9. #9
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    0x0002 in the debugger
    Last edited by compaq; 12-12-2010 at 07:23 PM.

  10. #10
    Junior Member
    Join Date
    Aug 2010
    Posts
    64

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    This is the first I'm hearing of blocks. So EIP has 2 blocks or "halves" if you will? So it is basically pointing to the current and next instruction all at the same time, sort of like staging the next instruction.

    Does that make sense or am I way off?


    EDIT: haha compaq edited his message - I guess 0x0002 is the answer :P
    Last edited by sLiPpErY; 12-12-2010 at 08:37 PM.

Page 1 of 3 123 LastLast

Similar Threads

  1. Replies: 0
    Last Post: 11-29-2010, 06:34 AM
  2. A question about buffer overflows...
    By drakoth777 in forum OLD Pentesting
    Replies: 2
    Last Post: 03-24-2009, 08:22 PM
  3. Heap overflows
    By compaq in forum OLD Newbie Area
    Replies: 2
    Last Post: 12-06-2008, 01:04 AM
  4. Stack Overflows using Python
    By Pako_Guitar in forum OLD Programming
    Replies: 0
    Last Post: 10-01-2008, 01:18 PM
  5. Aireplay-ng overflows my IPW3945? Possible?
    By DraveThe in forum OLD Newbie Area
    Replies: 0
    Last Post: 01-12-2008, 08:33 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •