Hosting Provided By

Jump back to shellcode Windows overflow

From: <chaboyd77(at)yahoo.com>
Date: Mon Apr 21 2003 - 23:50:17 EDT

('binary' encoding is not supported, stored as-is)

I'm practicing developing Windows Buffer Overflows and have run into a slight snag. When I overwrite EIP with the address of "jmp ESP" I land below my shellcode instead of where the top of the stack used to be:

<-----------400 bytes-------->
[NOP's........Shellcode...EIP..*<-code jumps here**]

This didn't seem right but I figured that I'd use an offset from ESP to hop back to my shellcode.

xor         eax,eax	
	xor		ebp,ebp
	mov		ebp,esp
	mov		eax,ebp - 190H
        jump            eax

What I'm trying is loading esp into ebp and then moving that value into eax followed by a jump eax. Tried straight from esp to eax but figured out that wasn't allowed. I know that the .printer exploit(jill.c) does something similar (uses eax and ebx to make the jump). Any ideas? Thanks,
Dave Received on Tue Apr 22 13:27:40 2003

This message: [ Message body ]
Next message: moran zavdi: "cipher.exe overflow"
Previous message: Proxy Administrator: "defacement stats"
Next in thread: Blue Boar: "Re: Jump back to shellcode Windows overflow"
Reply: Blue Boar: "Re: Jump back to shellcode Windows overflow"
Reply: Matt Conover: "Re: Jump back to shellcode Windows overflow"
Reply: Dino Dai Zovi: "Re: Jump back to shellcode Windows overflow"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT