Re: Jump back to shellcode Windows overflow

Thanks everyone for the help.

Tried placing shellcode at end, seemed to not overwrite EIP anymore,strange.
Next, tried using a near jump and it works great (besides the fact that I haven't got the shellcode working quite right yet).  

// Near jump to shellcode (approx 422 bytes, jmp near -422)

   char jumpcode [] =
   "\xE9\x55\xFE\xFF\xFF";  

My total buffer (460 bytes,411-414 overwrite EIP) now looks like this (typical addresses):  

Top of Stack   NOPS   Shellcode  EIP     **   NOPS   jump
00fbfddd          fbfde9   fbfe07        fbff87   fbff88         fbff9c
 

I am attempting to use shellcode from the "Advanced Buffer Overflow" writeup by Litchfield (I changed LoadLibrary and GetProcAddress calls to the right addresses). I'm worried that I won't have enough space(have about 400 bytes to work with) if I decided to attempt to write my own shellcode. Thanks for the assistance! I will let you know if everything goes good.  

David

>How about just a short or near jmp? How many bytes between where EIP
lands
>and your shellcode? I.E. jmp -128 or something? EB 80, I think.
Received on Thu Apr 24 16:01:37 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek