From: Roland Postle (mailblazde.co.uk)
Date: Sat Apr 12 2003 - 12:41:50 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 11 Apr 2003 15:16:11 -0400, Aaron C. Newman (Application
Security, Inc.) wrote:

>The payload is not written directly to ESP or EBP so I can not simply
>call somewhere in the program where there is a "call esp" or "jmp esp".
>One of the areas overwritten does seem to be consistently written to ESP
>+ 0x1D00 or EBP + 0x1D10 so I was hoping to find someplace in code where
>it executes:
>add esp, 0x1D00
>jmp esp

Sometimes you'll find you can control a dword further down the stack,
then you can find an

add esp, 0x100, retn

to get you there, then again find another dword a bit further down that
you control, so you end up 'hopping' down the stack. But I doubt it
would work in your case, 0x1D00 is a long way to go.

The other thing to look for is a bit of static memory you can control,
it need only be a few bytes long.. enough to put an

add esp, 0x1d00
retn

in. Then jump there. If your target app is single threaded (or your
overflow is always in the first thread) you may even find a good bit of
'static' memory further down the stack. In my experience the first
thread always gets a stack based at the same address (0x00140000) tho
it may be OS version specific.

- Blazde

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]