I have been playing with some wargames and I ported some of then on my Linux machine as well. I noticed that when not using -mpreferred-stack-boundary=2, gcc might compile "main" with an interesting prologue/epilogue: effectively "relying on $ecx (which relies on $ebp-4) for $esp value before ret". Has anyone else come across this observation?
This means you can not overwrite normal ret address staying at $ebp+4, but instead you have to overwrite $ebp-4 (that is ecx) and reposition the stack pointer and your return address (effectively using a stack pivot) to further the exploitation.
Kindly find an example code and related assembly below:
$ cat stack4.c /* stack4-stdin.c * * specially crafted to feed your brain by gera */ #include <stdio.h> int main() { int cookie; char buf[80]; printf("buf: %08x cookie: %08x\n", &buf, &cookie); gets(buf); if (cookie == 0x000d0a00) printf("you win!\n"); } $ objdump -D ./stack4_normal | grep -A31 main.: 0804845b <main>: 804845b: 8d 4c 24 04 lea 0x4(%esp),%ecx 804845f: 83 e4 f0 and $0xfffffff0,%esp 8048462: ff 71 fc pushl -0x4(%ecx) 8048465: 55 push %ebp 8048466: 89 e5 mov %esp,%ebp 8048468: 51 push %ecx 8048469: 83 ec 64 sub $0x64,%esp 804846c: 83 ec 04 sub $0x4,%esp 804846f: 8d 45 f4 lea -0xc(%ebp),%eax 8048472: 50 push %eax 8048473: 8d 45 a4 lea -0x5c(%ebp),%eax 8048476: 50 push %eax 8048477: 68 50 85 04 08 push $0x8048550 804847c: e8 8f fe ff ff call 8048310 <printf@plt> 8048481: 83 c4 10 add $0x10,%esp 8048484: 83 ec 0c sub $0xc,%esp 8048487: 8d 45 a4 lea -0x5c(%ebp),%eax 804848a: 50 push %eax 804848b: e8 90 fe ff ff call 8048320 <gets@plt> 8048490: 83 c4 10 add $0x10,%esp 8048493: 8b 45 f4 mov -0xc(%ebp),%eax 8048496: 3d 00 0a 0d 00 cmp $0xd0a00,%eax 804849b: 75 10 jne 80484ad <main+0x52> 804849d: 83 ec 0c sub $0xc,%esp 80484a0: 68 68 85 04 08 push $0x8048568 80484a5: e8 86 fe ff ff call 8048330 <puts@plt> 80484aa: 83 c4 10 add $0x10,%esp 80484ad: 8b 4d fc mov -0x4(%ebp),%ecx 80484b0: c9 leave 80484b1: 8d 61 fc lea -0x4(%ecx),%esp 80484b4: c3 ret I have found several StackExchange topics and explanation about why this happens. Nevertheless, I am looking for a guide/tutorial that specifically deals with the exploitation part. Perhaps someone smarter than me has standardised this exploitation in a much better way than I do.
It seems that most people, in tutorials, just use -mpreferred-stack-boundary=2 to avoid this problem and continue normally with the exploitation tutorial.
I find it hard to believe that no-one has mentioned this in a tutorial as new versions of gcc compile like this by default (at least at my machine).
In any case, the question is:
Is this the optimal way to exploit this (using a stack pivot)?
If no, can someone please point me to a tutorial or explanation of a better way?
