In my program I am trying to modify the EIP to point to buffer base address which contains shell code
example:
0xbffff5f3 is an address on stack which points to
code[80] = "\x90\x90\x90\x90\x90\x31\xc0\x31\xdb\x31\xc9\"
I create a pointer ret and using stack frame knowledge point it to the base address of buffer.
{
//Some more pointer arithmetic on ret
(*ret) = (int)code;
return ;
}
Modified eip to
eip 0xbffff5f3 0xbffff5f3
This works perfectly well and my shell code executes. But the ret is hard coded with the buffer address.
However, now I would want to my shell code to contain the buffers base address known in advance so that the EIP is will point to it once the buffer overflows.
How can I know the buffers base address in advance ?
[![The buffer itself contains the address of shellcode][1]][1]
Edit: Refining my question: Given a statically declared array code[80], how can I determine before hand the base address of this array on stack, so that I can insert this base address into my shell code and insert appropriate padding bytes and NOPS to make EIP point to shell code ?
I have seen many examples on the Internet, and all of them demonstrate using GDB and figuring out the buffer address at runtime, however If I have to programmatically derive the shell codes address of can this be achieved.
There is no direct way. You need to employ target-specific tricks. They include:
esp)