Did I understand it right... you want to know how to get the right offset..
It shouldn't be any problem, just sp - buffers (size) which is stored in the
stack... now where's your problem to get
the offset to the vuln buffer ?????
If you filled everything with NOPs it shouldn't really be no problem...

sincerely

Robin

----------------------------------------------------------------------------
--------------------------------------

visit: www.usad.li

-----Ursprungliche Nachricht-----
Von: roland kwitt [mailto:sniperf1lesystem.net]
Gesendet: Sonntag, 17. Juni 2001 21:34
An: VULN-DEVsecurityfocus.com
Betreff: exploit coding

hi folks,

here i am again with a question on writing exploits!
my problem is that in the last exploit i wrote the
buffer i overflowed was the first variable in the
program - so i was not further difficult to guess
the offset. now i found a buffer overflow problem
in a litte program my friend wrote - a dynamic
dns entry updater (runs as setuid root). the variable
is now no longer in first place. in my last exploit
i used the function sp() to get the stack pointer and
wanted the user to enter the offset. Now i calculated
the return address subtraction the offset from the
stack pointer. generally the value 0 was ok for the
offset and my exploit worked as i wanted it.
can anybody tell me how i can guess the offset and
how to calculate the return address if the variable
is not the first one in the program?

piece of code from an exploit!!

offset = atoi(argv[1]);
esp = sp(); #get stack pointer
ret = esp-offset;

thanks, sniper
sniperf1lesystem.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]