Vulnerability Development mailing list archives
win32 bof question
From: ma1ler_deamon <ma1ler_deamon () yahoo com>
Date: Mon, 24 Nov 2003 10:26:21 -0800 (PST)
I am trying to wrap my brain around some shell code stuff and ran into something that isnt making much sense yet. I have a function void test3(void){ char buf[3]; buf[0]=0x90; buf[1]=0x90; buf[2]=0xe9; buf[3]=0x40; buf[4]=0x11; buf[5]=0x40; buf[6]=0x00; buf[7]=0x00; //set eip on stack to be loc of buf[0] buf[8]= 0x24; buf[9]= 0xff; buf[10]= 0x12; buf[11]= 0x00; } buf 8-11 is overwriting saved eip with the location of buf[0] buf 0-7 is my super simple (yet still failing) shell code what I am trying to do is to jump to a function called "never_really_called" located at memory offset 0000401140 I have tried several things to get the right opcodes for this jmp, first I tried __asm{ jmp never_really_called //E9 FE 59 FF FF }; inline in the function and then extracted the opcodes in the debugger... which I thought would give me the right result, but didnt.. then I opened a random exe in hiew and changed the first instruction to jmp 401140 in asm mode and grabbed the opcodes..but that wasnt quite right either.. as is in the example the E9 40 11 40 00 00 shows up right in the dsm view of the debugger, as a "jmp never_really_called (401140)" but then when the jump actually happens...I find myself at 53106b I have to be missing something simple...any words of wisdom? I am using vc6 w/ debug config __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/
Current thread:
- win32 bof question ma1ler_deamon (Nov 24)
- RE: win32 bof question Brett Moore (Nov 24)