Copy address | values
---------------+------------------------------------------------------------------
| +---------------- Function stack frame -------------------+
| | +------------- stack vars -------------+ +-saved ebp -+ |
0xffffd264 | | | 0x00000000 0x00000000 0x00000000 | | 0xffffd298 | |
| | +--------------------------------------+ +------------+ |
| +---------------------------------------------------------+
| +-------------------- main stack frame -------------------+
| | +-saved eip -+ +---- function params ---+ |
0xffffd274: | | | 0x565561dd | | 0x00000001 0x00000002 | 0x00000001 |
| | +------------+ +------------------------+ |
If a buffer overflow occur within the function, it might be possible to overwrite the saved registers
Copy address | values
---------------+------------------------------------------------------------------
| +---------------- Function stack frame -------------------+
| | +------------- stack vars -------------+ +-saved ebp -+ |
0xffffd264 | | | 0x41414141 0x41414141 0x41414141 | | 0x41414141 | |
| | +--------------------------------------+ +------------+ |
| +---------------------------------------------------------+
| +-------------------- main stack frame -------------------+
| | +-saved eip -+ +---- function params ---+ |
0xffffd274: | | | 0x41414141 | | 0x00000001 0x00000002 | 0x00000001 |
| | +------------+ +------------------------+ |
In this example, a buffer overflow occur at the variable stored at 0xffffd264
. 20 'A' have been send to entirely overwrite the saved EIP
register