Next step towards exploit : finding the return address


Hey friends , I think it’s the time to take next step towards exploit after reading our all previous posts . In this tutorial you will learn about : What you can do with a venerable code while you are dealing with buffer overflows and finding the current address of ESP( Stack pointer) or say return address.
There are basically three things that can happen as follows:
  1. The first thing is denial of service popularly known as DoS attack. As you can saw in our previous section ,It is really easy to get a segmentation fault while dealing with process memory ,but for any developer its  is the best thing that can happen , because a crashed program will attentive while the other alternatives are more worse which you will see in next two points.
  2. The second thing is running venerable program with user level access , it simply means eip or says rip(For 64 bit architecture) can be control to run malicious code at the user level of access.
  3. The third and the worst thing that can happens when buffer overflows occurs is controlling the eip(Instruction pointers) to execute malicious code at the root level. If you are here it means you already know the power of root in unix base systems( As it is our pre-request to learn basics of linux). The root user can do anything on the system. There are some functions on Linux which are reserved for root users including changing password etc.
So what will happen if program to change password is venurable??
Yaa you are right , in the worst case you can gain root access.
you can give root permission to any program by using following command:
chmod u+s  
chmod u+s buffer
andcan check it from
ls -a 
ls -a buffer

Finding and repeating the return address

Return address is the most useful element, which must be aligned perfectly and repeated unless it overflow the saved eip. Now confused what does it means ?? Let me explain you what does it means .
If we find the current address we can find how much memory a program should take and can guess the final address after the execution of program. Now our task is to overflow the stack so that our eip will jump over it or in simple words we want to jump the address so that we can find the space to use NOP: No operation (We will tell you about them in future posts). It’s like we are on first step of ladder and want to jump at 10th step so that we can left blanked ladders(may it is the worst example buut I hope you will understand what I mean).
So let’s start by finding returning address using a simple c programming code given below (Save it as buffer.c_):
#include
unsigned int _sp(void){
__asm__("movl %esp,%eax);
}
int main(){
printf("\nReturning address or say ESP(stack pointer): 0x%x\n", _sp());
}
#gcc -o stackpointer buffer.c
#./stackpointer
0xffffe5c0
#./stackpointer
0xffffce00
#./stackpointer
0xffffce02
The value of output in your case may be differ from mine.
NOTE:Run it two or three times to ensure the output is same.
If in case you are getting different output disable your ASLR by using cmd below:
#echo “0” >/proc/sys/kernel/randomize_va_space
Now again run ./stackpointer to ensure that output is same now:
#./stackpointer
0xffffe5c0
#./stackpointer
0xffffe5c0
#./stackpointer
0xffffe5c0

Hacking is not a joke so please keep patience and learn it step by step.