EBP2Ret - EBP chaining

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

This technique exploits the ability to manipulate the Base Pointer (EBP) to chain the execution of multiple functions through careful use of the EBP register and the leave; ret instruction sequence.

As a reminder, leave basically means:

movl               %ebp, %esp
popl               %ebp
ret

And as the EBP is in the stack before the EIP it's possible to control it controlling the stack.

EBP2Ret

This technique is particularly useful when you can alter the EBP register but have no direct way to change the EIP register. It leverages the behaviour of functions when they finish executing.

If, during fvuln's execution, you manage to inject a fake EBP in the stack that points to an area in memory where your shellcode's address is located (plus 4 bytes to account for the pop operation), you can indirectly control the EIP. As fvuln returns, the ESP is set to this crafted location, and the subsequent pop operation decreases ESP by 4, effectively making it point to your shellcode. When the ret instruction is executed, control is transferred to your shellcode.

Exploit Construction

First you need to inject your shellcode somewhere in an executable memory and get the address, or get the address to a valid ONE_GADGET, or make the ESP point to a place with the address of system() followed by 4 junk bytes and the address of "/bin/sh".

Then, create a padding and compromise the EBP with the address to the shellcode/one_gadget - 4. It must be -4 because of the pop. Then, the ESP will be pointing to our desired address and and the ret will be executed.

Off-By-One Exploit

There's a specific variant of this technique known as an "Off-By-One Exploit". It's used when you can only modify the least significant byte of the EBP. In such a case, the memory location storing the shellcode's address must share the first three bytes with the EBP, allowing for a similar manipulation with more constrained conditions.

EBP Chaining

Therefore, putting a controlled address in the EBP entry of the stack and an address to leave; ret in EIP, it's possible to move the ESP to the controlled EBP address from the stack.

Now, the ESP is controlled pointing to a desired address and the next instruction to execute is a RET. To abuse this, it's possible to place in the controlled ESP place this:

&(next fake EBP) -> Load the new EBP because of pop ebp from the leave instruction
system() -> Called by ret
&(leave;ret) -> Called after system ends, it will move ESP to the fake EBP and start agin
&("/bin/sh")-> Param fro system

Basically this way it's possible to chain several fake EBPs to control the flow of the program.

Tbh, this is like a ret2lib, but more complex with no apparent benefit but could be interesting in some edge-cases.