From: Dino Dai Zovi (ddztheta44.org)
Date: Tue Apr 22 2003 - 17:33:58 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Have you tried putting your shellcode after the saved EIP?
Use the fact that ESP points to just after the location of the saved
EIP as a blessing and just put your shellcode at the end.

[ 396 bytes padding ] [ RET ] [NOP*] [ SHELLCODE ]

You'll often have more room for your shellcode after the saved return
address anyway.

Have fun,

-Dino

On Monday, April 21, 2003, at 09:50 PM, <chaboyd77yahoo.com> wrote:

>
>
> I'm practicing developing Windows Buffer Overflows and
> have run into a slight snag. When I overwrite EIP with
> the address of "jmp ESP" I land below my shellcode instead
> of where the top of the stack used to be:
>
> <-----------400 bytes-------->
> [NOP's........Shellcode...EIP..*<-code jumps here**]
>
> This didn't seem right but I figured that I'd use an
> offset from ESP to hop back to my shellcode.
>
> xor eax,eax
> xor ebp,ebp
> mov ebp,esp
> mov eax,ebp - 190H
> jump eax
>
> What I'm trying is loading esp into ebp and then moving
> that value into eax followed by a jump eax. Tried straight
> from esp to eax but figured out that wasn't allowed. I know
> that the .printer exploit(jill.c) does something similar (uses
> eax and ebx to make the jump). Any ideas?
> Thanks,
> Dave
>
>
--
          Dino Dai Zovi / ddztheta44.org / www.theta44.org
       "Bein' Crazy is the least of my worries." - Jack Kerouac
          C439 2B06 D8D2 A2D8 1ABB 0A55 A61D 9057 63F5 9B1F

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]