('binary' encoding is not supported, stored as-is) In-Reply-To: <200308071347.h77DlYAa018973at_private> > So you are saying that the return address will be the same on my local >machine as it is on a remote machine (for a particular application on >the same archatecture). I have found that most time it is true. Which >got me wondering how in the world do two differnet instances of the same >OS/arch come up with the same addresses?? Is it luck ? Any knowledge >here would be helpful? > It's not luck at all, it's very intentional. Modern OSs use virtual memory, which gives each executing process it's own distinct memory map. For various reasons, it's really handy to have stuff, particularly code pages, always be at the same address, so that is how the OS is designed. One good reason is dynamic linking. When the OS loads an application, it actually links together an .exe and a bunch of .dlls in memory. If the dll functions always reside at the same memory addresses this linking is easy. If the dll functions change addresses it is more complex and time consuming. So on a given OS, for a given DLL, addresses don't change much. > If you don't mind: When you say "find the return address"; is that >the value in the esp/SP at the time when the actural vulnerable function >is called ? ESP is the stack pointer. I didn't read the original message but I guess he was refering to the value of the return address stored on the stack. Read http://www.phrack.org/show.php?p=49&a=14 . ~x
This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 15:00:33 PDT