Skip to content

Advanced overflows. Ret2Reg

In the last topic we looked at the "Classic" style of overflow.

However our approach had a couple of issues.

  • The address we use to jump to our shellcode is hardcoded
    • Means it relies on the stack being reasonably static
    • Easily defeated by ALSR

There are a couple of things we know about the binary that can help

  • Its compiled without PIE
    • Means the addresses in the Binary are Static
    • The start of the payload is pointed to by the EAX register.

Therefore if we can work out a way of getting the value held by the EAX register, we will be able to reliably call our code.

Ret 2 Reg Concept

In a Ret2Reg attack we:

  • Take an instruction in the program that points to a known location on the stack.
  • When we overflow the buffer we set the IP to the address of this instruction
    • The Code Jumps OUT of the stack, and into the instructions for the code itself
    • The Instruction then points us back to the location in the Stack we want

Hunting the Instruction

We know our code places our payload in the EAX register, The assembly instruction call eax (0xffd0) will set the Instruction pointer to whatever the current value of EAX is.

Therefore if we find a call eax instruction we can use it to do this.

Note

In a 64 bit version of the code we would be looking for a call rax

We can use Objdump (or any other dissassembly program) to help hunt for the address we want

$ objdump -d classic32 | grep eax | grep call
 804901d:       ff d0                   call   *%eax
 8049111:       ff d0                   call   *%eax

If we set this as the TARGET_ADDRESS variable in our payload generator we can stabilise the attack.

Back to top