Vulnerability Development mailing list archives

Re: Jump back to shellcode Windows overflow

From: <chaboyd77 () yahoo com>
Date: 24 Apr 2003 03:04:20 -0000

In-Reply-To: <3EA57FD0.4010603 () thievco com>

Thanks everyone for the help. 

Tried placing shellcode at end, seemed to not overwrite EIP 
anymore,strange. 
Next, tried using a near jump and it works great (besides the fact that I 
haven't got the shellcode working quite right yet).
 
//  Near jump to shellcode (approx 422 bytes, jmp near -422)
   char jumpcode [] = 
   "\xE9\x55\xFE\xFF\xFF";
 
My total buffer (460 bytes,411-414 overwrite EIP) now looks like this 
(typical addresses):
 
Top of Stack   NOPS   Shellcode  EIP     **   NOPS   jump
00fbfddd          fbfde9   fbfe07        fbff87   fbff88         fbff9c
 
I am attempting to use shellcode from the "Advanced Buffer Overflow" 
writeup by Litchfield (I changed LoadLibrary and GetProcAddress calls to 
the right addresses).  I'm worried that I won't have enough space(have 
about 400 bytes to work with) if I decided to attempt to write my own 
shellcode. Thanks for the assistance! I will let you know if everything 
goes good.
 
David

How about just a short or near jmp?  How many bytes between where EIP

lands

and your shellcode?  I.E. jmp -128 or something?  EB 80, I think.

Current thread:

Jump back to shellcode Windows overflow chaboyd77 (Apr 22)
- Re: Jump back to shellcode Windows overflow Blue Boar (Apr 22)
- Re: Jump back to shellcode Windows overflow Matt Conover (Apr 22)
- Re: Jump back to shellcode Windows overflow Dino Dai Zovi (Apr 23)
- <Possible follow-ups>
- Re: Jump back to shellcode Windows overflow chaboyd77 (Apr 24)
  - heap overflow under solaris sparc Admin (Apr 28)
    - Re: heap overflow under solaris sparc Claes Nyberg (Apr 28)