background image

216

Chapter 15

Assembly Language Basics

To get the most out of this chapter, you’ll need a basic understanding of the 
assembly programming language. We use a lot of low-level assembly language 
instructions and commands in this chapter, so let’s take a look at the most 
common ones.

EIP and ESP Registers

Registers

 are placeholders that store information, perform calculations, or 

hold values that an application needs in order to run. The two most impor-
tant registers for the purposes of this chapter are 

EIP

, the extended instruc-

tion pointer register, and 

ESP

, the extended starter pointer register. 

The value in EIP tells the application where to go after it has executed 

some code. In this chapter, we’ll overwrite our EIP return address and tell it 
to point to our malicious shellcode. The ESP register is where, in our buffer 
overflow exploit, we would overwrite the normal application data with our 
malicious code to cause a crash. The ESP register is essentially a memory 
address and placeholder for our malicious shellcode.

The JMP Instruction Set

The 

JMP instruction set

 is the “jump” to the ESP memory address. In the over-

flow example that we’ll explore in this chapter, we use the JMP ESP instruction 
set to tell the computer to go to the ESP memory address that happens to 
contain our shellcode.

NOPs and NOP Slides

NOP

 is a no-operation instruction. Sometimes when you trigger an over-

flow, you won’t know exactly where you’re going to land within the space allo-
cated. A NOP instruction simply says to the computer “Don’t do anything if 
you see me,” and it is represented by a \x90 in hexadecimal. 

NOP slide

 is a handful of NOPs, combined to create a slide to our 

shellcode. When we go through and actually trigger the JMP ESP instructions, 
we will hit a bunch of NOPs, which will slide down until we hit our shellcode.

Porting a Buffer Overflow

Our first example is a typical remote buffer overflow that needs only a jump 
to the extended stack pointer (JMP ESP) instruction to reach the shellcode. 
This exploit, called the “MailCarrier 2.51 SMTP EHLO / HELO Buffer Over-
flow Exploit,” uses MailCarrier 2.51 SMTP commands to cause a buffer 
overflow. 

NOTE

You’ll find the exploit and a vulnerable application at 

http://www.exploit-db.com/

exploits/598/

.