开发者

Do we overwrite EIP (return address) with an opcode or memory address?

开发者 https://www.devze.com 2023-02-27 11:49 出处:网络
char shellcode[] =\"\\xeb\\x2a\\x5e\\x89\\x76\\x08\\xc6\\x46\\x07\\x00\\xc7\\x46\\x0c\\x00\\x00\\x00\"\"\\x00\\xb8\\x0b\\x00\\x00\\x00\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\"\"\\xb8\\x01\\
char shellcode[] =        "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"        "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"        "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"        "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";

void main() {
   int *ret;  
   ret = (int *)&ret + 2;  
   (*ret) = (int)she开发者_Go百科llcode;
}

to my knowledge, shellcode[] is hex opcode for spawning a shell and the last line of the code overwrite the ret with the opcode. Do we insert opcode or memory address into RET ?


It doesn't overwrite the return opcode, it overwrites the return address on the stack (by assuming it's near a variable declared on the stack) so that when main() returns it doesn't go back to _start+n but instead to shellcode.


The ret register on the stack is a location that code gets returned to, putting an opcode there wouldn't be of much help. I suspect an address to code you want to run is the most likely candidate. Yay! It's probably best overall to consider what the items you are interacting with are used for, and how they get used rather then trying to blindly dump data into them.


As it stands, it's inserting the address the address into the string. I suppose in this case, it's kind of a waste of time to point out that it's completely non-portable and almost certainly a really bad idea...

0

精彩评论

暂无评论...
验证码 换一张
取 消