Vulnerability Development mailing list archives
Jump back to shellcode Windows overflow
From: <chaboyd77 () yahoo com>
Date: 22 Apr 2003 03:50:17 -0000
I'm practicing developing Windows Buffer Overflows and
have run into a slight snag. When I overwrite EIP with
the address of "jmp ESP" I land below my shellcode instead
of where the top of the stack used to be:
<-----------400 bytes-------->
[NOP's........Shellcode...EIP..*<-code jumps here**]
This didn't seem right but I figured that I'd use an
offset from ESP to hop back to my shellcode.
xor eax,eax
xor ebp,ebp
mov ebp,esp
mov eax,ebp - 190H
jump eax
What I'm trying is loading esp into ebp and then moving
that value into eax followed by a jump eax. Tried straight
from esp to eax but figured out that wasn't allowed. I know
that the .printer exploit(jill.c) does something similar (uses
eax and ebx to make the jump). Any ideas?
Thanks,
Dave
Current thread:
- Jump back to shellcode Windows overflow chaboyd77 (Apr 22)
- Re: Jump back to shellcode Windows overflow Blue Boar (Apr 22)
- Re: Jump back to shellcode Windows overflow Matt Conover (Apr 22)
- Re: Jump back to shellcode Windows overflow Dino Dai Zovi (Apr 23)
- <Possible follow-ups>
- Re: Jump back to shellcode Windows overflow chaboyd77 (Apr 24)
- heap overflow under solaris sparc Admin (Apr 28)
- Re: heap overflow under solaris sparc Claes Nyberg (Apr 28)
- heap overflow under solaris sparc Admin (Apr 28)