|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Jump back to shellcode Windows overflow
chaboyd77
yahoo.com
Date: Wed Apr 23 2003 - 22:04:20 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In-Reply-To: <3EA57FD0.4010603@thievco.com>
Thanks everyone for the help.
Tried placing shellcode at end, seemed to not overwrite EIP
anymore,strange.
Next, tried using a near jump and it works great (besides the fact that I
haven't got the shellcode working quite right yet).
// Near jump to shellcode (approx 422 bytes, jmp near -422)
char jumpcode [] =
"\xE9\x55\xFE\xFF\xFF";
My total buffer (460 bytes,411-414 overwrite EIP) now looks like this
(typical addresses):
Top of Stack NOPS Shellcode EIP ** NOPS jump
00fbfddd fbfde9 fbfe07 fbff87 fbff88 fbff9c
I am attempting to use shellcode from the "Advanced Buffer Overflow"
writeup by Litchfield (I changed LoadLibrary and GetProcAddress calls to
the right addresses). I'm worried that I won't have enough space(have
about 400 bytes to work with) if I decided to attempt to write my own
shellcode. Thanks for the assistance! I will let you know if everything
goes good.
David
>How about just a short or near jmp? How many bytes between where EIP
lands
>and your shellcode? I.E. jmp -128 or something? EB 80, I think.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]