RE: win32 stack bof & shellcode size

["Brett Moore" <brett.moore () security-assessment com>]

> some says its not possible, is it?

Its all possible.

Your message isn't too clear, but it sounds like you can fit some opcodes
after the return address, so you insert a backwards jump or shellcode
finding code.

It really depends on the situation though, for example it may be that
the address after the return address points into your buffer. So you 
can use a return to libc type exploit.
Returning to SetUnhandledExceptionFilter for instance will allow you
to gain control.
http://www.eeye.com/html/Research/Advisories/AD20020710.html

In other situation, other registers may point to your buffer, or an 
address already on the stack. So you can return to a jmp ebx, or a 
jmp [esp+8]. etc...

Brett

-----Original Message-----
From: . npguy [mailto:npguy () linuxmail org]
Sent: Thursday, October 30, 2003 3:39 PM
To: vuln-dev () securityfocus com
Subject: win32 stack bof & shellcode size


Hi,

are there any techniques to execute the shellcode if the necessary
opcodes cannot fit after the return address!
the return address is overwritten with an address of "jmp esp"!

some says its not possible, is it?

TIA

-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze