Re: Re: Help developing exploit

[KaCo678 () aol com]

I was advised to use a smaller buffer.I think i had it the wrong way around for a start.

    <-buffer->      <ret>       <-shell-code->
aaaaaaaaaaaaaaaaaa  xxxx  SSSSSSSSSSSSSSSSSSSSSS

I am guna work of this and see what happens.Ok ill explain what ive done so far i worked out haw much buffer we need to 
control the eip then i worked out haw big the shell code plus the 4 bytes for the eip.And it worked some thing like 
this.

[1240 /A] + [75/bytes] + [4/bytes] + [171/Nop bytes] + [110/bytes/shell-code] + [414/bytes]




eip Address of overwrite.
=========================
1024 + 75 bytes + 4 bytes for eip//


Ebp address of overwrite.
===========================
1024 + 71 + 4 bytes for ebp register//

So 4 bytes before the eip register we can write to ebp also..So we control 8 bytes..Any way moving on from that ill 
just see what happened in the debugger and try to explain more.Also our Eip is underneath the nops the line below .I 
see the esp is pointing at the first line of our nops.But the eip has changed and at the bottom of olly it says illegal 
instruction i changed eip with the 4 bytes to jmp esp in ntdll..Think some thing might be stopping this from executing 
some kind of protection what do you think m8.

2048 bytes passed to app.