Bugtraq: Re[2]: Can't Preventing exploitation with rebasing

[dullien () gmx de]

Hey all,

bghn> DIGRESSION:
bghn>         Dave Litchfield says you can call esp.  I don't know Dave's
bghn>         relationships with his registers but this doesn't work if I want
bghn>         to get my eip on top of my shellcode.  Always starts executing a
bghn>         memory address for me.  Maybe if I took esp out to dinner more
bghn>         often then I could call it instead of having to jump on top of it.
bghn>         Dave, any suggestions for the wine list?
bghn> END DIGRESSION.

Problem here is Intel ignoring it's own standards. The standard says
to first transfer control, then push the old EIP on the stack -- but
Intel CPU's since Pentium have done it the other way around, first
pushing EIP (and decreasing ESP), then setting EIP=ESP.

Cheers,
Thomas