Vulnerability Development mailing list archives
Re: Jump back to shellcode Windows overflow
From: Dino Dai Zovi <ddz () theta44 org>
Date: Tue, 22 Apr 2003 16:33:58 -0600
Have you tried putting your shellcode after the saved EIP?Use the fact that ESP points to just after the location of the saved EIP as a blessing and just put your shellcode at the end.
[ 396 bytes padding ] [ RET ] [NOP*] [ SHELLCODE ]You'll often have more room for your shellcode after the saved return address anyway.
Have fun, -Dino On Monday, April 21, 2003, at 09:50 PM, <chaboyd77 () yahoo com> wrote:
I'm practicing developing Windows Buffer Overflows and have run into a slight snag. When I overwrite EIP with the address of "jmp ESP" I land below my shellcode instead of where the top of the stack used to be: <-----------400 bytes--------> [NOP's........Shellcode...EIP..*<-code jumps here**] This didn't seem right but I figured that I'd use an offset from ESP to hop back to my shellcode. xor eax,eax xor ebp,ebp mov ebp,esp mov eax,ebp - 190H jump eax What I'm trying is loading esp into ebp and then moving that value into eax followed by a jump eax. Tried straight from esp to eax but figured out that wasn't allowed. I know that the .printer exploit(jill.c) does something similar (uses eax and ebx to make the jump). Any ideas? Thanks, Dave
-- Dino Dai Zovi / ddz () theta44 org / www.theta44.org "Bein' Crazy is the least of my worries." - Jack Kerouac C439 2B06 D8D2 A2D8 1ABB 0A55 A61D 9057 63F5 9B1F
Current thread:
- Jump back to shellcode Windows overflow chaboyd77 (Apr 22)
- Re: Jump back to shellcode Windows overflow Blue Boar (Apr 22)
- Re: Jump back to shellcode Windows overflow Matt Conover (Apr 22)
- Re: Jump back to shellcode Windows overflow Dino Dai Zovi (Apr 23)
- <Possible follow-ups>
- Re: Jump back to shellcode Windows overflow chaboyd77 (Apr 24)
- heap overflow under solaris sparc Admin (Apr 28)
- Re: heap overflow under solaris sparc Claes Nyberg (Apr 28)
- heap overflow under solaris sparc Admin (Apr 28)