Vulnerability Development mailing list archives
RE: win32 stack bof & shellcode size
From: "Brett Moore" <brett.moore () security-assessment com>
Date: Fri, 31 Oct 2003 12:22:51 +1300
some says its not possible, is it?
Its all possible. Your message isn't too clear, but it sounds like you can fit some opcodes after the return address, so you insert a backwards jump or shellcode finding code. It really depends on the situation though, for example it may be that the address after the return address points into your buffer. So you can use a return to libc type exploit. Returning to SetUnhandledExceptionFilter for instance will allow you to gain control. http://www.eeye.com/html/Research/Advisories/AD20020710.html In other situation, other registers may point to your buffer, or an address already on the stack. So you can return to a jmp ebx, or a jmp [esp+8]. etc... Brett -----Original Message----- From: . npguy [mailto:npguy () linuxmail org] Sent: Thursday, October 30, 2003 3:39 PM To: vuln-dev () securityfocus com Subject: win32 stack bof & shellcode size Hi, are there any techniques to execute the shellcode if the necessary opcodes cannot fit after the return address! the return address is overwritten with an address of "jmp esp"! some says its not possible, is it? TIA -- ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze
Current thread:
- win32 stack bof & shellcode size . npguy (Oct 30)
- RE: win32 stack bof & shellcode size Brett Moore (Oct 31)