call esp如何执行
最近在研究缓冲区溢出漏洞,在说到定位shellcode时,有一种不是很可取方法就是利用call esp这条指令,我纠结的是CPU如何执行这条指令:
书上讲解:
1.intel的P3及其以下的CPU对这个指令的实现可能存在BUG,这样执行:
eip = esp - 4
esp = esp - 4
然后把返回地址存入新的esp;???
疑问在这里,eip已经被覆盖了,返回地址存放在哪里???
2.intel的p4及其以上和AMD的cpu对这个指令执行如下:
eip = esp
esp = esp - 4
然后把返回地址存入新的esp;???同样的问题,返回地址存在哪里???
[解决办法]
IF near call
THEN IF near relative call
THEN
IF OperandSize = 64
THEN
tempDEST ←SignExtend(DEST); (* DEST is rel32 *)
tempRIP ←RIP +tempDEST;
IF stack not large enough for a 8-byte return address
THEN #SS(0); FI;
Push(RIP);
RIP ←tempRIP;
FI;
IF OperandSize = 32
THEN
tempEIP ←EIP +DEST; (* DEST is rel32 *)
IF tempEIP is not within code segment limit THEN #GP(0); FI;
IF stack not large enough for a 4-byte return address
THEN #SS(0); FI;
Push(EIP);
EIP ←tempEIP;
FI;
IF OperandSize = 16
THEN
tempEIP ←(EIP +DEST) AND 0000FFFFH; (* DEST is rel16 *)
IF tempEIP is not within code segment limit THEN #GP(0); FI;
IF stack not large enough for a 2-byte return address
THEN #SS(0); FI;
Push(IP);
EIP ←tempEIP;
FI;
ELSE (* Near absolute call *)
IF OperandSize = 64
CALL—Call Procedure
Vol. 2A 3-93
INSTRUCTION SET REFERENCE, A-M
THEN
tempRIP ←DEST; (* DEST is r/m64 *)
IF stack not large enough for a 8-byte return address
THEN #SS(0); FI;
Push(RIP);
RIP ←tempRIP;
FI;
IF OperandSize = 32
THEN
tempEIP ←DEST; (* DEST is r/m32 *)
IF tempEIP is not within code segment limit THEN #GP(0); FI;
IF stack not large enough for a 4-byte return address
THEN #SS(0); FI;
Push(EIP);
EIP ←tempEIP;
FI;
IF OperandSize = 16
THEN
tempEIP ←DEST AND 0000FFFFH; (* DEST is r/m16 *)
IF tempEIP is not within code segment limit THEN #GP(0); FI;
IF stack not large enough for a 2-byte return address
THEN #SS(0); FI;
Push(IP);
EIP ←tempEIP;
FI;
FI;rel/abs
FI; near