EIP ( Extended Instruction Pointer ) is a register that points to the next instruction...It simply points to the address in which that instruction is placed...So if we overwrite this we can change the direction flow of the program and make it do what we want.... In other words if we overwrite this we are the main controller of the program.. I suggest you to also have a glance at Stack Overflows. Eg :- We have a program exit Its objdum would certainly will be :- Code: 08048060 <_start>: 8048060: 31 c0 xor %eax,%eax 8048062: b0 01 mov $0x1,%al 8048064: 31 db xor %ebx,%ebx 8048066: b3 07 mov $0x7,%bl 8048068: cd 80 int $0x80 So when the program starts the EIP will be pointing to the start lable..That is 08048060.. As we move down the line...The EIP Simple points to the next instruction.. I hope this makes it clear... A basic function stack will be Code: |Arguments to the function | |More data | |EBP | |EIP | So as to overwrite EIP we have to overwrite all the data present on the stack before it... Now that we know about EIP lets exploit... Exploiting In this article we'll be using another buggy program.. Using a simple depriciated strcpy() function.. buggyProgram.c Code: #include<stdio.h> #include<string.h> // Just for the sake of strcpy() int main(int argc,char **argv) { char userInput[10]; if(argc != 2) { printf("Usage : %s userInput\n",argv[0]); return(0); } strcpy(userInput,argv[1]); // buggy function... } Compiling :- (Again we'll be using no-stack-protector flag so that the kernel does'nt stop us... and we are using -ggdb so as to get a closer look of the program with GDB) Code: gcc buggyProgram.c -o buggyProgram -fno-stack-protector -ggdb Now lets just test the program that's everything is going as smooth as it should... Code: aneesh@aneesh-laptop:~/articles/C$ ./buggyProgram 123 Ok , So program is Ok!! Now lets feed in some malicious string and see what happens... Code: aneesh@aneesh-laptop:~/articles/C$ ./buggyProgram AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Segmentation fault Woah!! We got a segmentation fault...Lets get a closer look of program with GDB Code: aneesh@aneesh-laptop:~/articles/C$ gdb ./buggyProgram GNU gdb (GDB) 7.1-ubuntu Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. aneesh@aneesh-laptop:~/articles/C$ gdb ./buggyProgram GNU gdb (GDB) 7.1-ubuntu Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/aneesh/articles/C/buggyProgram...done. (gdb) There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/aneesh/articles/C/buggyProgram...done. (gdb) Now lets place a breakpoint at the beginning if the program and run the program.. Code: (gdb) break main Breakpoint 1 at 0x804841d: file buggyProgram.c, line 8. (gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Starting program: /home/aneesh/articles/C/buggyProgram AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Breakpoint 1, main (argc=2, argv=0xbffff484) at buggyProgram.c:8 8 if(argc != 2) (gdb) Lets just step down the code and have a look at the registers... Code: (gdb) s 13 strcpy(userInput,argv[1]); // buggy function... (gdb) s 14 } (gdb) s Program received signal SIGSEGV, Segmentation fault. 0x0804845d in main (argc=Cannot access memory at address 0x41414149 ) at buggyProgram.c:14 14 } (gdb) i r eax 0xbffff3c6 -1073744954 ecx 0x0 0 edx 0x61 97 ebx 0x283ff4 2637812 esp 0xbffff3dc 0xbffff3dc ebp 0x41414141 0x41414141 esi 0x0 0 edi 0x0 0 eip 0x804845d 0x804845d <main+73> eflags 0x10246 [ PF ZF IF RF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) As we can see we overwritten the EIP and thats why we were getting a segmentation fault... This is because the EIP was over written with 3 A's and thus , we could'nt continue the execution flow of the program as 0x41414149 is a address the program not has access to... I hope you understand how the program got the secmentation fault and why... In my next article i'll be showng how this EIP overwrite can give us the remote of program execution... Thats all for this article .. stay tuned for more...
Thanks for accepting my article... And Guyz .... Stay tuned... I have already posted my next article and it will be coming up in 1-2 days...
Operator overloading is often a not-understand affection that accredit both array-like behaviour, pointer like operations and build-in-like operations. C++ programmers prefer to avoid pointers because of the bugs that can be introduced.