Re: Jump back to shellcode Windows overflow

[Matt Conover <shok () camel ethereal net>]

You need to put a jmp instruction to jump back to your shellcode (which
should be located after the return address). Try something like this:
[NOPs][Shellcode][Padding (ebp, local vars, etc.)][Return address =
pointer to a JMP ESP][jmp 0-padding-shellcode_len-5]

Note the first thing your shellcode should do is add esp, 0xffffeff0
(which is the same as subtracting esp by ~4K) so that when you push stuff
onto the stack you're not corrupting your shellcode

Matt

On Mon, 22 Apr 2003 chaboyd77 () yahoo com wrote:

> I'm practicing developing Windows Buffer Overflows and
> have run into a slight snag.  When I overwrite EIP with
> the address of "jmp ESP" I land below my shellcode instead
> of where the top of the stack used to be:
>
> <-----------400 bytes-------->
> [NOP's........Shellcode...EIP..*<-code jumps here**]
>
> This didn't seem right but I figured that I'd use an
> offset from ESP to hop back to my shellcode.
>
> xor         eax,eax
>       xor             ebp,ebp
>       mov             ebp,esp
>       mov             eax,ebp - 190H
>         jump            eax
>
> What I'm trying is loading esp into ebp and then moving
> that value into eax followed by a jump eax. Tried straight
> from esp to eax but figured out that wasn't allowed. I know
> that the .printer exploit(jill.c) does something similar (uses
> eax and ebx to make the jump). Any ideas?
> Thanks,
> Dave