I have seen that by replacing the return address on the stack, the EIP can be made to point at addresses that are part of the stack.
But, for example, JMP needs the programmer to specify the code segment when doing far jumps between segments. What happens when you replace the return address? Does the CS change?
Asked
Active
Viewed 219 times
1
1201ProgramAlarm
- 32,384
- 7
- 42
- 56
Vlad
- 59
- 6
-
2No, mainstream operating systems use a flat memory model, `CS` is constant, jumps are near, and all addresses are offsets only. (Unless you are doing fancy things like mixing 32 and 64 bit for example.) – Jester Nov 17 '17 at 23:09
1 Answers
1
far call / far ret exist too, along with the far jmp you mentioned, but nobody uses them either. (All mainstream OSes use a flat memory model where cs is constant.)
Any normal compiler-generated code will be using near ret, so it only pops into EIP / RIP, not a wider value into CS:EIP.
If you want your exploit to switch to the OS's 64-bit user-space code segment selector value in a 32-bit process (or vice versa), you're going to have to gain enough control to run a far jmp / call / ret in your payload, or jump to one that exists as part of another instruction somewhere or in data on an executable page.
Beware that the OS may not preserve your modified cs in some cases. For example, some ways of invoking Linux system calls set cs to the kernel's __USER32_CS constant.
Sep Roland
- 33,889
- 7
- 43
- 76
Peter Cordes
- 328,167
- 45
- 605
- 847