Academy - Stack-Based Buffer Overflows on Linux x86

I’ve been stuck on the “Take control of EIP” question for a few days now.
I know the offset, and from what I understand, that means the EBP is that many bytes into higher memory from the ESP.

Since the question is asking to examine the registers and return the address of EBP, I figured it’s just (address of ESP) + (offset received using the pattern_offset.rb script) = address of EBP.

The offset is definitely correct, as I can overwrite the EBP using that exact number of bytes.

I have also tried simply setting a breakpoint to main, and using “info register” to examine the register and return the value of EBP. I’m kinda of running out of ideas and I think I’m just confusing myself more now.

Any help is appreciated.

1 Like

Is ECX-0x4 dereferenced and its address loaded into ESP at some point? Maybe the return address is stored in ECX then the lea operator will load the dereferenced address into ESP “lea esp, [ecx-0x4]” which requires you to have to JMP to shellcode. I.e. provide an address on the stack which points to a memory address that points to the NOPS - 0x4. For instance: payload = padding + NOPS_ADDR_STACK_ADDR-0x4 + NOPS_ADDR + NOPS + SHELLCODE. Even with ret2libc you will need to decrement/increment any address accordingly and you may need to provide a stack address pointing to the address of, for instance system. If there’s no security mechanism decrementing ECX then your issue may lie in brute forcing the offset of the return address outside the debugger. You can use trial and error to reach the offset by incrementing the target stack address by 0x10/16 bytes or automate the process using python. The reason for this is because the stack shifts in size due to environment variables etc so you may need to increment any stack address by 0x10 to reach its offset in memory outside the debugger.

What happens is eventually the address loaded into ESP will be popped into EIP so you’re not actually discovering the offset of the return address but rather the offset of ECX if the instruction/opcode “lea esp, [ecx-0x4]” is present in the binary.

Thanks for yours (and others) posts on this, else I would have thought I was missing something.

You asked about this in May `21 (a year ago) so you very likely know that the question is incorrect. It is asking for something other than what it wants. It asks for the address of EBP when it wants the value (pattern) within EBP after applying one of the techniques in the lesson.

I’m leaving out details for others who might try this module…

…but, for others reading this, just apply the techniques in the lesson and try values you think are reasonably related to EBP… and keep in mind the question is incorrect, asking for something other than what it wants… but the answer it wants is nevertheless related to EBP.

To be clear, really enjoying the module, but chiming in on this question issue.

1 Like