exploit coding

[roland kwitt <sniper () f1lesystem net>]

hi folks,

here i am again with a question on writing exploits!
my problem is that in the last exploit i wrote the
buffer i overflowed was the first variable in the
program - so i was not further difficult to guess
the offset. now i found a buffer overflow problem
in a litte program my friend wrote - a dynamic
dns entry updater (runs as setuid root). the variable
is now no longer in first place.  in my last exploit
i used the function sp() to get the stack pointer and
wanted the user to enter the offset. Now i calculated
the return address subtraction the offset from the
stack pointer. generally the value 0 was ok for the
offset and my exploit worked as i wanted it.
can anybody tell me how i can guess the offset and
how to calculate the return address if the variable
is not the first one in the program?

piece of code from an exploit!!

offset = atoi(argv[1]);
esp    = sp(); #get stack pointer
ret    = esp-offset;


thanks, sniper
sniper () f1lesystem net