How To: Attack on Stack [Part 2]; Smash the Stack Visualization: Ebp, Esp, RET and Stack Frames.

Attack on Stack [Part 2]; Smash the Stack Visualization: Ebp, Esp, RET and Stack Frames.

Attack on Stack [Part 2]; Smash the Stack Visualization: Ebp, Esp, RET and Stack Frames.

Hi everyone!

After messing around a little bit with IDA and Hopper disassemblers and briefly introducing you to memory, registers and Assembly, we are going to understand what happens when a process is running, which variables join the play and especially what happens when a function is called and why is this procedure-logic so interesting and useful along with the concept of stack.

Today's Topic

Today we are going to build on the fundaments I've prepared in the first part of the guide. We will take a closer look to stack building, function calling and stack frames.

After a brief explanation of the first few assembly instructions found, we will have to understand what's the real scope of Ebp and Esp registers, what do they refer to and the concept of pointers, while giving a look at return address and stack frames. Don't worry if you can't understand something, these concepts will be repeated and explained deeper in the next parts of the guide.

Again, if you have any question, don't hesitate to ask.

A Prototype of Stack Representation and Function Prologue.

By recalling the first circle-shaped memory example I gave, we are now moving to a less different kind of representation. Usually, the first 3 or 4 instructions in a function serve as stack fixing procedures.

Function Prologue, Stack Frame and Ebp Register

The main actors in the stack frame building play are Ebp register and Esp register. When a stack frame is being built, the Esp is moved along with the Ebp.

Esp Register and Return Address (RET)

Esp, which points to the end of the Stack, thus to the end of the current stack frame, makes space for the return address and the value of ebp during the previous stack frame while building the stack frame. It then slides back to its previous value (found near the saved ebp and right after the return address, which are the first arguments to be pushed into the next stack frame once called the associated function).

Summarizing

To try and clear any confusion, let's write down the steps ad the fundamental concepts so far explained.

Examining and Explanation of the First Instructions

Now that we know how is a stack frame built, we are able to understand the meaning and the purposes of the first instructions, or "function prologue". We will then try to understand where is located in memory our input string using GDB, and how is it passed to main's stack frame.

References

Aleph1's "Smashing the Stack for Fun and Profit"
"Hacking, The Art of Exploitation"
"Buffer Overflow Demistified" by murat.
"The Shellcoder's Handbook"
Part 1 of "Attack On Stack"
Part 3 of "Attack On Stack"
Part 4 of "Attack On Stack"
Part 5 of "Attack On Stack"
Part 6 of "Attack On Stack"
Prelude to Reverse Engineering: IDA and Hopper Binary Patching Introduction

Side Note to Null Byte Users

Hey everyone! How is it going?

Last time I received the greatest feedback so far, it was overwhelming, so thank you guys for being there, really! This time, as advised by CyberHitchHiker, I put a (hopefully) not so annoying watermark on the pictures, tell me if that is enough, and I will do the same with the pictures of the previous part too.

Of course, critics are always welcome, so if you notice that something is missing or wrong, don't hesitate to report it, I'd be glad to add or fix it.

Enjoy the Stack!

2 Comments

Wow, a part two already?! Great work Ciuffy!

They are actually all ready ^^", thanks!

Share Your Thoughts

  • Hot
  • Latest