|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Jump back to shellcode Windows overflow
chaboyd77
yahoo.com
Date: Mon Apr 21 2003 - 22:50:17 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I'm practicing developing Windows Buffer Overflows and
have run into a slight snag. When I overwrite EIP with
the address of "jmp ESP" I land below my shellcode instead
of where the top of the stack used to be:
<-----------400 bytes-------->
[NOP's........Shellcode...EIP..*<-code jumps here**]
This didn't seem right but I figured that I'd use an
offset from ESP to hop back to my shellcode.
xor eax,eax
xor ebp,ebp
mov ebp,esp
mov eax,ebp - 190H
jump eax
What I'm trying is loading esp into ebp and then moving
that value into eax followed by a jump eax. Tried straight
from esp to eax but figured out that wasn't allowed. I know
that the .printer exploit(jill.c) does something similar (uses
eax and ebx to make the jump). Any ideas?
Thanks,
Dave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]