Re: Help developing an exploit

[Claudio Broglia <xeon () sysroot eu>]

> Hi List,
Hi Webster,

> I discovered a buffer overflow in a networked application ...
> ... The problem I've been
> having is that my payload ends up at address 0x0012E6B4 and if I try
> to get that address into EIP, my entire message is rejected for
> containing an x00 character.  ...
> (23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into
> EDX->EIP)(up to 4500 bytes)
> ...
> Here are the last three
> lines of the program disassembly:
> mov     edx,dword ptr [eax]
> push    eax
> call    dword ptr [edx+8]
>
> That last line is where the debugger keeps stopping because since I
> haven't been able to put in the address I want (0012...), I've been
> using invalid memory addresses as space hoders (\xb4\xe6\x12\xcc).

Just a summary: you would like to call your payload which is located  
at address 0x0012e6b4, but you say you can't use a \x00 character.
But from the code snipper you've posted, the last call is a "call  
dword ptr [edx+8]" and not a "call edx+8". So from what I understand  
you have not to put in EDX 0x0012e6ac (0x0012e6b4-8), but just an  
address in the process address space which contains 0x0012e6b4 at the  
time of the call. This address obviously would not have a \x00  
character in its address. To find it just breakpoint at that call and  
search for it in memory (remember to subtract 8 from its address  
before putting it in your shellcode).

Hope I've been helpful, let me know.

bye
-xeon