The main use is to use the leave; ret; such gadgets
Suppose that we have a procedure, the presence of a stack overflow, we cover the contents of the following would be like this, of course, this time period has bss section or not the content data, will be read by a function of the input will:
In fact the program call completes return call when there will be such mov esp,ebp pop ebp ret an instruction
When we go one by one to perform will be the case
First mov esp,ebp - After executing become like this:
Then pop ebp after the implementation is
Remember, pop instruction is bounced into the top of the stack value specified registers, that is to say a reduction esp automatically unit
This time on to ret , and we can put the content into fake ebp1 through the read function address
Construction content mainly written address at the fake ebp1 of fake ebp2
After the read function is executed to complete the program returns to the leave_ret, this will again performing as said above,
The first is mov esp,ebp the implementation of the completion results are as follows:
Then pop ebp after the execution is complete:
At this point in the execution ret order, he would perform that function we construct in the latter segment data segment bss
