Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Jump back to shellcode Windows overflow
From: Dino Dai Zovi (ddztheta44.org)
Date: Tue Apr 22 2003 - 17:33:58 CDT
Have you tried putting your shellcode after the saved EIP?
Use the fact that ESP points to just after the location of the saved
EIP as a blessing and just put your shellcode at the end.
[ 396 bytes padding ] [ RET ] [NOP*] [ SHELLCODE ]
You'll often have more room for your shellcode after the saved return
On Monday, April 21, 2003, at 09:50 PM, <chaboyd77yahoo.com> wrote:
> I'm practicing developing Windows Buffer Overflows and
> have run into a slight snag. When I overwrite EIP with
> the address of "jmp ESP" I land below my shellcode instead
> of where the top of the stack used to be:
> <-----------400 bytes-------->
> [NOP's........Shellcode...EIP..*<-code jumps here**]
> This didn't seem right but I figured that I'd use an
> offset from ESP to hop back to my shellcode.
> xor eax,eax
> xor ebp,ebp
> mov ebp,esp
> mov eax,ebp - 190H
> jump eax
> What I'm trying is loading esp into ebp and then moving
> that value into eax followed by a jump eax. Tried straight
> from esp to eax but figured out that wasn't allowed. I know
> that the .printer exploit(jill.c) does something similar (uses
> eax and ebx to make the jump). Any ideas?
Dino Dai Zovi / ddztheta44.org / www.theta44.org
"Bein' Crazy is the least of my worries." - Jack Kerouac
C439 2B06 D8D2 A2D8 1ABB 0A55 A61D 9057 63F5 9B1F