Vulnerability Development mailing list archives
Re: problem in rewrite RET address in Buffer OverFlow
From: Gerry Eisenhaur <gerrye () gmail com>
Date: Tue, 25 Oct 2005 21:55:38 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think you are a little confused. When exploiting a stack based buffer overflow, one of the ways to control the process flow is overwriting the stored return address when an address that will get you back to your shellcode. The common example used when explaining this is that when the function where the overflow occurs returns, there will be a register that points to (or close to) your user controlled buffer. Say ESP points to the buffer you control (your shellcode), You would overwrite the return address with a JMP ESP, hence giving you control. I hope this makes things a little clearer for you. Gerry Mani.682001 () gmail com wrote:
hi list i Work for writing one local exploit so i want to rewrite RET address with EIP(some where My NOP and Shellcode is there) but i have a problem in this. the EIP address is 002F77E1 if you pay some attension you can see first byte is "00" and if i put it in my String in my exploit C/C++ think its end of String so what can i do? i ask this Question from my friend he answered use User32.dll but i opened it by debugger and searched "jmp eip" i found some address without any 00 byte but it's not work correctly my Question is what we use user32.dll and what does it do and is there any other DLL for jumping in EIP address?
- -- Gerry Eisenhaur <gerrye gmail com> PGP key: 0xB4A196698555EC78 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDXv46tKGWaYVV7HgRAjnJAJ47NrE6YuE8KrQ1U1qFwmPevx+AcwCbBgrQ +Lkkowe7VEcWexAZ4EnAy6g= =c8lZ -----END PGP SIGNATURE-----
Current thread:
- problem in rewrite RET address in Buffer OverFlow Mani . 682001 (Oct 25)
- Re: problem in rewrite RET address in Buffer OverFlow Gerry Eisenhaur (Oct 26)
- <Possible follow-ups>
- Re: problem in rewrite RET address in Buffer OverFlow behrang (Oct 26)