Exploitation Help

[<ramatkal () hotmail com>]

Several questions on a remote stack overflow i am trying to exploit on windows 2k/XP/2003....

I send a GET request to a vulnerable web server, when the Authorization Header is 250 bytes long, a buffer overflow 
occurs and i have full control over EIP. However, if the Authorization Header is larger than 250 bytes, an exception 
occurs and i do not control EIP. So, the problem is I only have about 250 bytes with which to put my shellcode...

I did notice however, that the entire GET request is also sitting on the stack about 2k from the Authorization Header 
and the RET address which i control. So, I was thinking to use this space to store my 600 or so byte shellcode...

So, I am basically thinking, i overflow EIP with an address that JMP's -260 to the beginning of the Authorization 
header. The Authorization header then contains my Stage1 shellcode that starts searching down the stack for my Stage2 
shellcode which it will find about 2k down the stack in the GET request.....

I hope somebody understands what the hell i am talking about....

Anyways, if anybody has any questions/suggestions/advice they would be greatly appreciated....

Thanks for your help,

RaMatkal

RaMatkal () hotmail com