7. EAX – Accumulator, used for default operands and results
EBX – Base, used to store pointers to data
C
ECX – Counter, used to count up or down
P
EDX – Data, used as an I/O pointer
U
ESP – Stack Pointer, points to the top of the stack frame
EBP – Base Pointer, points to the base of the stack frame
R
ESI – Source Index, points to the source for data
E
EDI – Destination Index, points to the data destination
G
I Flag – Provides result for the latest operation
S
EIP – Instruction Pointer, points to the next instruction
T
E CS – Code Segment, points to the source of code segment
R DS – Data Segment, points to the source of data segment
S SS – Stack Segment, points to the source of stack segment
CS – Extra Segment, points to the source of extra segment
8. .
.HIGH
Segment Size: 0x100
S
E 0x400 EDX, EBX, ESI, EDI
ES
G 0x400
M
E
ESP, EBP
N SS 0x300
0x300
T
A
T 0x200 EDX, EBX, ESI, EDI
DS
I 0x200
O
N
0x100 EIP
CS 0x100
. LOW
.
9. 56
Buffer Overflow Basics
52
48
Stack Operations
44
40 PUSH – Subtract 4 from
36 1A EBP ESP ESP and put new value
at that address
32 CF
28 09
AC POP – Add 4 to ESP
24
direction...
Stack grows in this
20 OPER EBP ESP
16 PUSH 1A 36 36
12 PUSH CF 36 32
8 PUSH 09 36 28
4 POP 36 32
0 PUSH AC 36 28
10. Function Calls and Stack
HIGH
direction...
Stack grows in this
main() main() main() main() main()
fun1() fun1() fun1()
fun2()
LOW 1 2 3 4 5
main() -> fun1() -> fun2() > fun1() > main()
11. 56
Stack Organization for
52
Function Calls
48 local_var1 EBP
44 arg2
40 arg1 int fun (int arg1, int arg2){
36 RETN ADDR ESP int lvar1 = arg1 + arg2;
OLD EBP }
32
28 lvar1 int main () {
24 int local_var1;
20
fun (arg1, arg2);
}
16
12
8
4
0
12. 56
Stack Organization for
52
Function Calls
48 x=18 EBP
44 6
40 3
int add (int a, int b) {
36 RA=999 ESP int c = a + b;
32 OLD EBP=48 }
28 c=9
int main () {
24 int x = 18;
20 add (3, 6);
16
}
12
8
4
0
13. 220 Buffer Overflow Example
216
x=6
212
&argv[1]
208 int vuln (char *argv) {
RA=999 char buf[80];
204
OLD EBP=212 EBP int a = 9;
200
strcpy (buf, argv);
}
int main (int argc,
char **argv) {
int x = 6;
buf[80] vuln (argv[1]);
120
a=9 ESP }
116
112
108
104
14. 220 Buffer Overflow Example
216
x=6 int vuln (char *argv) {
212
&argv[1] char buf[80];
208 int a = 9;
RA=999 strcpy (buf, argv);
204
OLD EBP=212 EBP }
200
AAAA
int main (int argc,
char **argv) {
... int x = 6;
vuln (argv[1]);
}
AAAA
120
a=9 ESP
116
112
python -c 'print “A”*80'
108
104
15. 220 Buffer Overflow Example
216
x=6 int vuln (char *argv) {
212
&argv[1] char buf[80];
208 int a = 9;
RA=999 strcpy (buf, argv);
204
AAAA EBP }
200
AAAA
int main (int argc,
char **argv) {
... int x = 6;
vuln (argv[1]);
}
AAAA
120
a=9 ESP
116
112
python -c 'print “A”*84'
108
104
16. 220 Buffer Overflow Example
216
x=6 int vuln (char *argv) {
212
&argv[1] char buf[80];
208 int a = 9;
AAAA strcpy (buf, argv);
204
AAAA EBP }
200
AAAA
int main (int argc,
char **argv) {
... int x = 6;
vuln (argv[1]);
}
AAAA
120
a=9 ESP
116
112
python -c 'print “A”*88'
108
104
17. So, you can overflow a buffer...
now what?
Sky is the limit...!
Well, not really :)
Let's just dig deep and
see what exactly the scope of such
a vulnerability is