Instruction pointer Overwrite
Arbitrary Instruction redirection
How it works ?
As explained in the "STACK" part, at the call of the function the process store the value of the instruction pointer onto the stack. Thus, there is always the saved instruction pointer at the end of a function stack frame.
address | values
---------------+------------------------------------------------------------------
| +---------------- Function stack frame -------------------+
| | +------------- stack vars -------------+ +-saved ebp -+ |
0xffffd264 | | | 0x00000000 0x00000000 0x00000000 | | 0xffffd298 | |
| | +--------------------------------------+ +------------+ |
| +---------------------------------------------------------+
| +-------------------- main stack frame -------------------+
| | +-saved eip -+ +---- function params ---+ |
0xffffd274: | | | 0x565561dd | | 0x00000001 0x00000002 | 0x00000001 |
| | +------------+ +------------------------+ |
If a buffer overflow occur within the function, it might be possible to overwrite the saved registers
address | values
---------------+------------------------------------------------------------------
| +---------------- Function stack frame -------------------+
| | +------------- stack vars -------------+ +-saved ebp -+ |
0xffffd264 | | | 0x41414141 0x41414141 0x41414141 | | 0x41414141 | |
| | +--------------------------------------+ +------------+ |
| +---------------------------------------------------------+
| +-------------------- main stack frame -------------------+
| | +-saved eip -+ +---- function params ---+ |
0xffffd274: | | | 0x41414141 | | 0x00000001 0x00000002 | 0x00000001 |
| | +------------+ +------------------------+ |
Last updated