I am trying to understand the classic buffer overflow exploits, where the input buffer overwrites the stack, the return address of the function, which is stored in the stack area and at the top of the memory (where shell code is usually located). There are many examples of this on the Internet, and I think I understood this pretty well:
You put more data in some input buffer, which the developer made a fixed size
Your input overwrites the function arguments and the return address of the calling function on the stack
- This address is loaded into EIP when the OS tries to return from the function in which the overflow occurred, and this allows you to receive data that you control into the EIP register (when you do not read carefully some articles, you get the impression that you can overwrite the CPU registers. Of course, this is not so, you can rewrite the stack, but the CPU will load the addresses from the stack into its registers).
- If the exploit is well designed, the value loaded into the EIP will cause the program to go to the beginning of the shell code (see paragraph 5).
- The next thing, which I think is well understood, is the JMP ESP mechanism. When you copy an accident in a lab environment, you look for a place in memory that contains the "JMP ESP" instruction, and you overwrite EIP (now my wording is inaccurate, I know ...) with that address. This address should be identical no matter how often you run it, what time, what thread your stuff is running, etc. At least for the same OS version, and the address should not contain forbidden bytes. The code will go to this address (at the same time, the stack is reduced by 4 bytes), so "jmp esp" will go to the next address in my overflow buffer after the place where I set the value to overwrite EIP, and usually this is where it goes shellcode, possibly using NOP.
Now the question is.
, , "JMP ESP" DLL ( , ASLR ..). exe "jmp esp"? DLL?
"! Mona modules" Immunity Debugger, , , - exe. , DLL .
. Exe , DLL. ?