Rcjp's Weblog

November 8, 2004

Shellcode

Filed under: c — rcjp @ 3:22 pm

Some notes from the Shellcoders handbook…


                   +-------------------+
  High Address --> | env pointer argc? |
                   +-------------------+
                   |      stack        |
                   |        |          |
                   |        |          |
                   |        v          |
                   +-------------------+
                   |        ^          |
                   |        |          |
                   |        |          |
                   |       heap        |
                   +-------------------+
                   |       .bss        |
                   +-------------------+
                   |      .text        |
                   +-------------------+
                   |    shared libs    |
                   +-------------------+

o Stack Overflows
  EBP - frame pointer
  to investigate the stack do
  gcc -mpreferred-stack-boundary=2 -ggdb tt.c -o tt

  Before calling a function
  -------------------------
  o save EBP on the stack
  o store ESP in EBP (EBP can now be used to reference the args inside
                      this function even though the stack pointer ESP
                      changes when you push/pop etc.)
  o maybe sub ESP for some space for local variables -----------------+
  o maybe save some regs                                              |
  o sub ESP by required stack amount for returned values -----------+ |
  o push args for function                                          | |
  o call function (which implicitly first pushes the return address | |
                   on the stack)                                    | |
                                                                    | |
              +---------------------+                               | |
  EBP ------> |   old value of EBP  |                               | |
              +---------------------+                               | |
              |     locals...       |   ^                           | |
              +---------------------+   |-----------------------------+
              |     locals...       |   v                           |
              +---------------------+                               |
              | saved regs EBX etc. |                               |
              +---------------------+                               |
              |  returned value 1   |    ^                          |
              +---------------------+    |                          |
              |  returned value 2   |    |--------------------------+  
              +---------------------+    v
              |    EIP of address   |
              |    just after CALL  |
              +---------------------+

 o space on the stack e.g. for local variables is usually rounded up
   to 4 byte blocks


Inside the called function 
--------------------------
 Assuming this called function doesn't call any other functions
 (otherwise it will look very like the situation above)

  o push EBP on the stack
  o store ESP in EBP (EBP can now be used to reference the args inside
                      this function even though the stack pointer ESP
                      changes when you push/pop etc.)
  o maybe sub ESP for some space for local variables -----------------+
  o do the work of the function -                                     |
    note the function can refer to the arguments passed to it by:     |
    and to save the return values so the calling function can use them|
    it does:                                                          |
                                                                      |
              .                     .                                 |
              .                     .                                 |
              +---------------------+                                 |
              |   function arg 2... |                                 |
              +---------------------+                                 |
              |    EIP of address   |                                 |
              |    after CALL       |                                 |

              +---------------------+                                 |
  EBP ------> |   pushed  EBP       |                                 |
              +---------------------+                                 |
              |   function locals...|   ^                             |
              +---------------------+   |-----------------------------+
  ESP ------> |   function locals...|   v                            
              +---------------------+                                

    After that it just needs to clean up the stack before returning
  o point ESP to where push's (i.e. jump over function locals)
  o pop EBP etc.
  o ret from function (which implicitly first pops the EIP return address 
                       off the stack)                                    

If you didn't allocate enough memory for the function locals the
memory will be overwritten upwards (increasing memory addresses)
overwriting 'pushed EBP' and 'EIP of address after CALL' etc.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: