Re: Some help With BOF Exploits Writing.

From: DownBload <downbload(at)hotmail.com>
Date: Sat Jul 26 2003 - 08:39:18 EDT

('binary' encoding is not supported, stored as-is)
In-Reply-To: <Law9-F5967EKRuYDlrj00009721@hotmail.com>

Remote bof exploitation is little bit harder, because you can't just do "movl %esp, %eax" for finding return address. In classic buffer overflows, for remote exploits, try to install vuln. application on your host and find return address. Then you can code exploit which will probably work on same architecture, OS and application version as yours. For remote (local also) exploits, you can use return address brute force method.
Remote format string exploits are much more hackers-friendly than classic buffer overflows in return address finding. You can just pop stack with %x% x%x%x%x.

DownBload / Illegal Instruction Labs <www.kamikaza.org>

>
>The return address should be before your shellcode, inside the nop's.
pushed,
>it'll get pushed here and
Eax
>is the return value
Thats
>been on my mind for
they
>>were very informative and useful for me. I had some questions in my mind
you
>>cud help me with that.
But
>>now i want to do the same thing at win2k/winxp platforms. My problem in
previous
>>RET instruction. On win98 i had a util called getcode.exe , which will
scan
>>the memory and list out the jmp eax, ret eax, call eax, call ebx and
i
>>calculate the return address on 2k/Xp platform?? Dissembling the
DLLs/EXEs
>>and searching them all for such instances is kinda hard to do.
Received on Mon Jul 28 15:58:29 2003