Editing Buffer overflow (section)

====The jump to address stored in a register technique====

The "jump to register" technique allows for reliable exploitation of stack buffer overflows without the need for extra room for a NOP-sled and without having to guess stack offsets. The strategy is to overwrite the return pointer with something that will cause the program to jump to a known pointer stored within a register which points to the controlled buffer and thus the shellcode. For example, if register A contains a pointer to the start of a buffer then any jump or call taking that register as an operand can be used to gain control of the flow of execution.<ref name="shah" /> [[File:jumpToEsp.png|left|thumb|300px|An instruction from ntdll.dll to call the <code>DbgPrint()</code> routine contains the [[i386]] machine opcode for <code>jmp esp</code>.]]

In practice a program may not intentionally contain instructions to jump to a particular register. The traditional solution is to find an unintentional instance of a suitable [[opcode]] at a fixed location somewhere within the program memory. Figure [[:Image:JumpToEsp.png|E]] on the left contains an example of such an unintentional instance of the i386 <code>jmp esp</code> instruction. The opcode for this instruction is <code>FF E4</code>.<ref name="intel1" /> This two-byte sequence can be found at a one-byte offset from the start of the instruction <code>call DbgPrint</code> at address <code>0x7C941EED</code>. If an attacker overwrites the program return address with this address the program will first jump to <code>0x7C941EED</code>, interpret the opcode <code>FF E4</code> as the <code>jmp esp</code> instruction, and will then jump to the top of the stack and execute the attacker's code.<ref name="packetstorm1" />

When this technique is possible the severity of the vulnerability increases considerably. This is because exploitation will work reliably enough to automate an attack with a virtual guarantee of success when it is run. For this reason, this is the technique most commonly used in [[Internet worm]]s that exploit stack buffer overflow vulnerabilities.<ref name="Yuji1" />

This method also allows shellcode to be placed after the overwritten return address on the [[Microsoft Windows|Windows]] platform. Since executables are mostly based at address <code>0x00400000</code> and x86 is a [[little endian]] architecture, the last byte of the return address must be a null, which terminates the buffer copy and nothing is written beyond that. This limits the size of the shellcode to the size of the buffer, which may be overly restrictive. [[Dynamic-link library|DLLs]] are located in high memory (above <code>0x01000000</code>) and so have addresses containing no null bytes, so this method can remove null bytes (or other disallowed characters) from the overwritten return address. Used in this way, the method is often referred to as "DLL trampolining".