Re: Some help With BOF Exploits Writing.

The return address should be before your shellcode, inside the nop's.

[NNNNNNNNNSSSSSSSSSSSSSRET] buffer stored on stack.

5    1              2                    3     4
0xFFFFA        0xFFFFD       0xFFFFE        grows upwards.

1. Bunch of nop instructions: 0x90, that do nothing, so execution goes to the right until your code is executed.
2. shellcode.
3. return address, which is calculated to point somewhere within the nop operations, this is calculated locally, by using the stack pointer esp. see 4.
4. Esp stack pointer points to the top of stack, which is usually here, unless there is other data on the stack, to calculate the address of the NOP's, you'd get the esp address and subtract an offset from it depending on the size of the data within the stack.
5. Ebp, the current location inside the stack, so if anything gets pushed, it'll get pushed here and ebp will continue to shift to the left as more things are added to the stack.

most unix code does this like this:

}                                             of most function calls in C.

//calculate ret, using offset supplied by user.

offset = atoi(argv[1]); will crash if there was no input however. Should check first.
RET = get_esp() - offset;

[NNNNNNNNNNNNNSSSSSSSSSSSSSSSRET]

10 20 30 40 50 60

simple decimal example.

/exploit 20

RET = Getesp() - offset
RET =  60 - 20
RET = 40

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

crash .. middle of shellcode

/exploit 40

RET = getesp() - offset
RET = 60 - 40
RET = 20

Bingo, right in the nops, execution moves to the right until shellcode hits.. thats the basic way of
doing it anyway.

Another method is by putting the shellcode, and alot more nops inside an environment variable, to
increase the size of the padding(NOPs) to increase chances of success and have less guesswork.

Anyone want to add to this?

And a question of my own, how does remote exploits accomplish this?? Thats been on my mind for
quite some time.

deepcode

>From: "theetabond" 
>Reply-To: "theetabond" 
>To: pondermate@hotmail.com
>Subject: Some help With BOF Exploits Writing.
>Date: 25 Jul 2003 06:56:15 -0000
>
>Hi there DeepCode,
>                   I've been reading u'r recent posts on Vul-Dev, and they 
>were very informative and useful for me. I had some questions in my mind 
>regarding writing buffer overflows on Win32 platform, and i hope may be you 
>cud help me with that.
>I had written some exploits ( stack overflow ) for win98 successfully. But 
>now i want to do the same thing at win2k/winxp platforms. My problem in 
>this is - in calculating the return address which u write over the previous 
>RET instruction. On win98 i had a util called getcode.exe , which will scan 
>the memory and list out the jmp eax, ret eax, call eax, call ebx and 
>similar useful addresses which u can use to write at return addresses. 
>Unfortunately this particular tool deosn't work on win2k/Xp. So how can i 
>calculate the return address on 2k/Xp platform?? Dissembling the DLLs/EXEs 
>and searching them all for such instances is kinda hard to do.
>  So is there any way/tool which can give me the desired output ??
>Thank You Very Much
>theeta.
>
>

_________________________________________________________________