Re: Jump back to shellcode Windows overflow

[Dino Dai Zovi <ddz () theta44 org>]

Have you tried putting your shellcode after the saved EIP?
Use the fact that ESP points to just after the location of the saved 
EIP as a blessing and just put your shellcode at the end.

[ 396 bytes padding ] [ RET ] [NOP*] [ SHELLCODE ]

You'll often have more room for your shellcode after the saved return 
address anyway.

Have fun,

-Dino

On Monday, April 21, 2003, at 09:50 PM, <chaboyd77 () yahoo com> wrote:

> I'm practicing developing Windows Buffer Overflows and
> have run into a slight snag.  When I overwrite EIP with
> the address of "jmp ESP" I land below my shellcode instead
> of where the top of the stack used to be:
>
> <-----------400 bytes-------->
> [NOP's........Shellcode...EIP..*<-code jumps here**]
>
> This didn't seem right but I figured that I'd use an
> offset from ESP to hop back to my shellcode.
>
> xor         eax,eax     
>         xor             ebp,ebp
>         mov             ebp,esp
>         mov             eax,ebp - 190H
>         jump            eax
>
> What I'm trying is loading esp into ebp and then moving
> that value into eax followed by a jump eax. Tried straight
> from esp to eax but figured out that wasn't allowed. I know
> that the .printer exploit(jill.c) does something similar (uses
> eax and ebx to make the jump). Any ideas?
> Thanks,
> Dave
--
         Dino Dai Zovi / ddz () theta44 org / www.theta44.org
      "Bein' Crazy is the least of my worries." - Jack Kerouac
         C439 2B06 D8D2 A2D8 1ABB  0A55 A61D 9057 63F5 9B1F