I am currently learning on buffer overflow attacks. I understand that the idea is to overwrite the return address.
The return address points to the statement that follows the function call. What I am wondering: Does this pointer point to the text segment of the program? Or does it point to the heap or something else?
Thanks a lot for your help!
Since you're referring to return addresses on the stack, I'm going to assume that you're on the ubiquitous x86_64. You can examine this yourself by replacing the call instruction with its equivalent push, jmp, and label (assuming myfn is a leaf routine):
push offset RA1
jmp _myfn
RA1:
; Remainder of instructions in the calling code...
When I actually assemble this I get the following code:
00401004: 68 0B 10 40 00 push 40100Bh ; RA1
00401009: EB F5 jmp 00401000 ; myfn
0040100B: 33 C0 xor eax,eax ; next instruction
Now, 00400000 is the default base address for executables on the MS Windows PE format, and for this particular executable of mine, it says that the .text (i.e. code) section runs from 00401000 to 0040100D, so yes, the return address in [esp] when myfn is called indeed points within the .text segment.
Where else did you think it might point? The return address has to be to the address of the instruction immediately after the call instruction, which, like all other code, goes in the .text segment.