|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Exploitation Help
From: Felix Lindner (felix.lindner
nruns.com)
Date: Wed May 18 2005 - 03:20:39 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 17 May 2005 09:20:51 -0000
<ramatkalhotmail.com> wrote:
>
> So, I am basically thinking, i overflow EIP with an address that JMP's -260
> to the beginning of the Authorization header. The Authorization header then
> contains my Stage1 shellcode that starts searching down the stack for my
> Stage2 shellcode which it will find about 2k down the stack in the GET
> request.....
>
> I hope somebody understands what the hell i am talking about....
You could easily implement a small code in the 250 byte buffer doing the
following:
mov esi,esp
Loop:
inc esi
cmp [esi],0x12345678
je found
jmp short Loop
found:
add esi,4
jmp esi
and begin your "real" shellcode with 0x1234568 or any other pattern for that
matter.
cheers
Felix
--
Felix Lindner, CISSP | Senior Security Consultant, n.runs GmbH
fxnruns.com | +49 (0)171 740 20 62
A hacker does for love what others would not do for money.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]