Vulnerability Development mailing list archives
Re: Buffer Overrun Newbie
From: "Jason Royes" <jroyes () da-experts com>
Date: Mon, 6 Feb 2006 17:55:33 -0500
You might try prefixing your shellcode with a sub esp, 0x100. The win32 functions you're calling might be mangling the stack.
----- Original Message ----- From: <gj_williams2000 () yahoo co uk>
To: <vuln-dev () securityfocus com> Sent: Sunday, February 05, 2006 5:20 PM Subject: Buffer Overrun Newbie
I was messing about with my pc trying to learn how buffer overruns work (mostly as an excuse to use assembler) and I have run into a problem. The program I am exploiting is just a simple c program I wrote which mismanages a string provided by the user by copying it into a 512 byte variable on the stack without checking its length. My shellcode is supposed to display a messagebox that reads "hello world". When I compile my code into an executable and run it it works fine. I also tested it by writing a c program that has the shellcode defined as a constant and then jumps to it in memory which works fine but when I try and exploit the program I mentioned above it goes wrong. Could this be because its not running from readonly memory? Debugging the program in OllyDbg shows me that when I make a call to GetProcAddress in the Kernel32.dll the function returns error_proc_not_found whereas in the other cases it returns err_success. The function works fine returning the address to the function I want but a big section of the stack seems to get overwritten by garbage which breaks the rest of my code. Is this my fault or some kind of Windows security mechanism? Can anyone help me, I haven't found anything much on the net about it. Cheers for reading G
Current thread:
- Buffer Overrun Newbie gj_williams2000 (Feb 06)
- Re: Buffer Overrun Newbie Jason Royes (Feb 06)
- Re: Buffer Overrun Newbie James Longstreet (Feb 08)
- <Possible follow-ups>
- Re: Buffer Overrun Newbie Marco Ivaldi (Feb 13)