Jumping Flashcards
What are the main methods of executing shellcode after a buffer overflow exploit?
Jump (jmp [register]): After overwriting EIP, replacing the value with an address of an appropriate “jmp [register]” instruction, in order to jump to the location of the shellcode in memory, which presumably is stored within one of the registers.
Pop Return (pop return): If none of the registers contain the address where the shellcode starts, but the address is stored further down the stack, a [pop* retn] command can be used to pop values off the stack and return to an appropriate address to begin execution. This depends on the location in which the address resides on the stack.
Push Return (push return): Push the address of the shellcode onto the stack, and then return to it to begin execution.
Jump offset (jump [reg + offset]): If there is a register that points to a buffer in the shellcode (but not at the start) you can find a jump opcode and add an offset to make up the number of bytes the jump is offset by.
Blind Return: Using a RET instruction to POP the last instruction on the stack into ESP
SEH (Structured Exception Handler):
