Vulnerability Development mailing list archives
Re: Re: Help developing exploit
From: KaCo678 () aol com
Date: 28 May 2007 02:02:18 -0000
I was advised to use a smaller buffer.I think i had it the wrong way around for a start. <-buffer-> <ret> <-shell-code-> aaaaaaaaaaaaaaaaaa xxxx SSSSSSSSSSSSSSSSSSSSSS I am guna work of this and see what happens.Ok ill explain what ive done so far i worked out haw much buffer we need to control the eip then i worked out haw big the shell code plus the 4 bytes for the eip.And it worked some thing like this. [1240 /A] + [75/bytes] + [4/bytes] + [171/Nop bytes] + [110/bytes/shell-code] + [414/bytes] eip Address of overwrite. ========================= 1024 + 75 bytes + 4 bytes for eip// Ebp address of overwrite. =========================== 1024 + 71 + 4 bytes for ebp register// So 4 bytes before the eip register we can write to ebp also..So we control 8 bytes..Any way moving on from that ill just see what happened in the debugger and try to explain more.Also our Eip is underneath the nops the line below .I see the esp is pointing at the first line of our nops.But the eip has changed and at the bottom of olly it says illegal instruction i changed eip with the 4 bytes to jmp esp in ntdll..Think some thing might be stopping this from executing some kind of protection what do you think m8. 2048 bytes passed to app.
Current thread:
- Help developing exploit KaCo678 (May 26)
- Re: Help developing exploit Valdis . Kletnieks (May 26)
- Re: Help developing exploit Thomas Pollet (May 28)
- <Possible follow-ups>
- Re: Re: Help developing exploit KaCo678 (May 27)
- Re: Help developing exploit Valdis . Kletnieks (May 27)
- Re: Re: Help developing exploit KaCo678 (May 27)