Re: Buffer Overrun Newbie

["Jason Royes" <jroyes () da-experts com>]

You might try prefixing your shellcode with a sub esp, 0x100. The win32 
functions you're calling might be mangling the stack.

----- Original Message ----- 
From: <gj_williams2000 () yahoo co uk>
To: <vuln-dev () securityfocus com>
Sent: Sunday, February 05, 2006 5:20 PM
Subject: Buffer Overrun Newbie


> I was messing about with my pc trying to learn how buffer overruns work
> (mostly as an excuse to use assembler) and I have run into a problem.
>
> The program I am exploiting is just a simple c program I wrote which
> mismanages a string provided by the user by copying it into a 512 byte
> variable on the stack without checking its length.
>
> My shellcode is supposed to display a messagebox that reads "hello
> world".  When I compile my code into an executable and run it it works
> fine.  I also tested it by writing a c program that has the shellcode
> defined as a constant and then jumps to it in memory which works fine
> but when I try and exploit the program I mentioned above it goes wrong.
> Could this be because its not running from readonly memory?
>
> Debugging the program in OllyDbg shows me that when I make a call to
> GetProcAddress in the Kernel32.dll the function returns
> error_proc_not_found whereas in the other cases it returns err_success.
> The function works fine returning the address to the function I want
> but a big section of the stack seems to get overwritten by garbage
> which breaks the rest of my code.
>
> Is this my fault or some kind of Windows security mechanism?  Can
> anyone help me, I haven't found anything much on the net about it.
>
> Cheers for reading
> G