Bookmark and Share

Notes on arsemblage

The EIP (Extended Instruction Pointer) register always points to the memory address from which the CPU will get its next instruction.

The ESP (Extended Stack Pointer) register points to the current location in memory that refers to the top of the stack.

In particular, when loading a function we place a stack frame onto the stack which contains, amongst other things, a return address that the CPU should load into the EIP register once the function returns and the program needs to continue on from where it left off. The RET assembly instruction is used to actually accomplish this process when the function is done. When run the RET instruction takes the memory address from the top of the stack and POPS it into the EIP register to allow execution to continue from that address in memory.

In the case of a stack based buffer overflow, this return pointer on the stack is overwritten with user supplied data, and instead of EIP being loaded with the address of the next location in memory after the previous function was called, EIP instead gets loaded with a user supplied value, provided in a particular section of data sent to the program. After this happens, the ESP register also points to the data in memory located immediately after the return pointer overwrite address - this is because the RET instruction used to set the value of EIP changes the stack pointer (ESP) to point to the next entry on the stack (it essentially adds 4 bytes to the ESP register). This is why a JMP ESP instruction will almost always point to a location within the user supplied buffer when used as a trampoline instruction for simple stack based overflows.