Back to list
Re: Re: Help developing exploit
May 28 2007 02:02AM
KaCo678 aol com
I was advised to use a smaller buffer.I think i had it the wrong way around for a start.
<-buffer-> <ret> <-shell-code->
aaaaaaaaaaaaaaaaaa xxxx SSSSSSSSSSSSSSSSSSSSSS
I am guna work of this and see what happens.Ok ill explain what ive done so far i worked out haw much buffer we need to control the eip then i worked out haw big the shell code plus the 4 bytes for the eip.And it worked some thing like this.
[1240 /A] + [75/bytes] + [4/bytes] + [171/Nop bytes] + [110/bytes/shell-code] + [414/bytes]
eip Address of overwrite.
1024 + 75 bytes + 4 bytes for eip//
Ebp address of overwrite.
1024 + 71 + 4 bytes for ebp register//
So 4 bytes before the eip register we can write to ebp also..So we control 8 bytes..Any way moving on from that ill just see what happened in the debugger and try to explain more.Also our Eip is underneath the nops the line below .I see the esp is pointing at the first line of our nops.But the eip has changed and at the bottom of olly it says illegal instruction i changed eip with the 4 bytes to jmp esp in ntdll..Think some thing might be stopping this from executing some kind of protection what do you think m8.
2048 bytes passed to app.
[ reply ]
Copyright 2010, SecurityFocus