25

I recently started using GDB for a class and I've been struggling a bit. I have an assignment where I have to do the Lab 1 exercise 2 that needs me to search for two vulnerabilities within the code and do the following with them:

The first must overwrite a return address on the stack, and the second must overwrite some other data structure that you will use to take over the control flow of the program.

I already overflowed the data structure, which what I think it's talking about is the EIP which points to what other instruction it will do.

Now how do I get to the return address (RET) of the frame? Any frame, it doesn't matter, I just want to know how I can calculate the bytes between the RET and maybe the ESP so I can subtract it and get the length. I just started with GDB so take it easy on me.

Improve this question

1 Answer 1

Reset to default
41

Now how do I get to the return address (RET) of the frame?

To get the location of the stored return address of a specific function, you can place a breakpoint at that function and use the info frame command.

Here is an example:

gdb /path/to/binary
(gdb) br main
(gdb) run
Starting program: /path/to/binary 

Breakpoint 1, 0x08048480 in main ()
(gdb) info frame
Stack level 0, frame at 0xffffd700:
eip = 0x8048480 in main; saved eip = 0xf7e3ca63
Arglist at 0xffffd6f8, args: 
Locals at 0xffffd6f8, Previous frame's sp is 0xffffd700
Saved registers:
ebp at 0xffffd6f8, eip at 0xffffd6fc

Note the saved eip = 0xf7e3ca63 and eip at 0xffffd6fc. In this case you will want to overwrite the value at 0xffffd6fc so that when the function returns execution will continue at the value you stored there.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

So i want to overwrite the instruction pointer (EIP)? This leads me to another question: I don't understand the difference between the EIP and the RET. Isn't the EIP meant to point to which instruction comes next and the RET is the saved address that the program stored before going into a function? How do RET and EIP relate to each other?
Yes, the RET is the stored EIP. The call instruction will store the address of the next instruction on the stack. In the function epilogue the ret instruction will pop the RET from the stack into the EIP register. When you overwrote the RET, this is the moment in which you will gain control of the program flow. You can read more about the function pro- and epilogue here: en.wikipedia.org/wiki/Function_prologue

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.