3

The program is shown in the similar thread here.

Let's assume that my OS doesn't implement ASLR or other protections from buffer overflow.

Long story short, the author is spawning a child process from a parent process and passing the buffer created by the parent process to the child to overwrite the return address on the child stack to spawn a shell. So far so good.

The thing that I have troubles with understanding is that the return address is calculated in the parent process, i.e.:

ret = (unsigned int) &i - offset; // Set return address

This return address is the address of the stack of the parent process, but the child process has its own stack i.e. address space. How did the author conclude that the ret calculated above will be the approximate location to the nop-sleds / shell on child stack frame as both these stacks are different and not related?

For experimentation, I tried switching off the ASLR temporarily, individually debugged these programs using gdb and found out that when I set a breakpoint on the main function the $ESP always points to 0xffffd02c for the parent process and 0xffffd04c for the child process.

CherryDT
  • 25,571
  • 5
  • 49
  • 74
noob_user
  • 87
  • 7
  • I am trying to understand what you don't understand. Are you trying to ask how they calculated `offset`? Or why the code works? Or anything else? An explicit question mark would make it clearer. Also, at the end of your question, I feel some information is missing. You did the experiment, it was successful, and then what? You couldn't understand how to apply its results to your situation? – anatolyg May 18 '23 at 06:47
  • I'm trying to understand that the parent and child address spaces are different (as they are different processes), so how the author assume that the return address he calculated in the parent process is related to that of the child process ? – noob_user May 18 '23 at 06:49
  • My question is; Does the author assume that the return-address he is calculating in the parent will be approximate to that of the child-process because both the main(..) stacks will eventually start on same addresses ? – noob_user May 18 '23 at 06:58
  • Same or similar, and "similar" suffices due to the nop slide. And yes, this is not a robust way. However, this seems to be pretty much the same question that you already linked yourself above, and it has an answer there... do you have any further question about it? Right now I'd say your question is a duplicate of the other one... – CherryDT May 18 '23 at 07:00

1 Answers1

2

The stacks of the two processes are unrelated, but they have the same address (virtual address). The operating system places the stacks of all user processes at the same address (if no ASLR). Even if one program invokes the other. This was actually a great debugging help 10 years ago!

When you know that, how do you determine the "magical" address? You could write a program which prints an address of a stack variable and then write that "magical" address on paper, to use it for all your exploits. But even better, if you invoke the exploitable program from your own program, you already have that "magical address" in your program.

anatolyg
  • 26,506
  • 9
  • 60
  • 134