Metasploit mailing list archives
pattern_offset
From: patrick at aushack.com (Patrick Webster)
Date: Thu, 22 Jan 2009 17:14:08 +1100
You say that:
A * 76 = EIP 41414141 which is a successful overflow.
So you want:
A * 72 + [target['Ret']].pack('V') # return address from module target
I try with pattern_create.rb with 72 and 220 value. With 72 it return me the same address, and with 220 it return me 0x6f343d2d.
If EIP is overwritten at 76 bytes, then sending pattern_create(72) will not overwrite EIP (by 4 bytes). By sending 220 bytes you may be completely smashing the stack and invoking an exception or some other internal function. However, pattern_offset is used to determine /where/ EIP is overwritten (e.g. where in 50,000 bytes?!). But if your email is correct, then you already know it is 72 + 4 bytes for EIP return address overwrite :) -Patrick
Current thread:
- pattern_offset Ricardo F. Teixeira (Jan 21)
- pattern_offset Patrick Webster (Jan 21)
- pattern_offset Ricardo F. Teixeira (Jan 21)
- pattern_offset H D Moore (Jan 21)
- pattern_offset Patrick Webster (Jan 21)
- pattern_offset Ricardo F. Teixeira (Jan 21)
- pattern_offset Patrick Webster (Jan 21)