From: Matt Conover (shokcamel.ethereal.net)
Date: Tue Apr 22 2003 - 13:22:50 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You need to put a jmp instruction to jump back to your shellcode (which
should be located after the return address). Try something like this:
[NOPs][Shellcode][Padding (ebp, local vars, etc.)][Return address =
pointer to a JMP ESP][jmp 0-padding-shellcode_len-5]

Note the first thing your shellcode should do is add esp, 0xffffeff0
(which is the same as subtracting esp by ~4K) so that when you push stuff
onto the stack you're not corrupting your shellcode

Matt

On Mon, 22 Apr 2003 chaboyd77yahoo.com wrote:

>
>
> I'm practicing developing Windows Buffer Overflows and
> have run into a slight snag. When I overwrite EIP with
> the address of "jmp ESP" I land below my shellcode instead
> of where the top of the stack used to be:
>
> <-----------400 bytes-------->
> [NOP's........Shellcode...EIP..*<-code jumps here**]
>
> This didn't seem right but I figured that I'd use an
> offset from ESP to hop back to my shellcode.
>
> xor eax,eax
> xor ebp,ebp
> mov ebp,esp
> mov eax,ebp - 190H
> jump eax
>
> What I'm trying is loading esp into ebp and then moving
> that value into eax followed by a jump eax. Tried straight
> from esp to eax but figured out that wasn't allowed. I know
> that the .printer exploit(jill.c) does something similar (uses
> eax and ebx to make the jump). Any ideas?
> Thanks,
> Dave
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]