Re: Jump back to shellcode Windows overflow

From: Matt Conover (shok@camel.ethereal.net)
Date: 04/22/03

  • Next message: defaillance@hushmail.com: "Re: Defacement Stats" 
    Date: Tue, 22 Apr 2003 11:22:50 -0700 (PDT)
From: Matt Conover <shok@camel.ethereal.net>
To: vuln-dev@securityfocus.com

    You need to put a jmp instruction to jump back to your shellcode (which
    should be located after the return address). Try something like this:
    [NOPs][Shellcode][Padding (ebp, local vars, etc.)][Return address =
    pointer to a JMP ESP][jmp 0-padding-shellcode_len-5]

    Note the first thing your shellcode should do is add esp, 0xffffeff0
    (which is the same as subtracting esp by ~4K) so that when you push stuff
    onto the stack you're not corrupting your shellcode

    Matt

    On Mon, 22 Apr 2003 chaboyd77@yahoo.com wrote:

    >
    >
    > I'm practicing developing Windows Buffer Overflows and
    > have run into a slight snag. When I overwrite EIP with
    > the address of "jmp ESP" I land below my shellcode instead
    > of where the top of the stack used to be:
    >
    > <-----------400 bytes-------->
    > [NOP's........Shellcode...EIP..*<-code jumps here**]
    >
    > This didn't seem right but I figured that I'd use an
    > offset from ESP to hop back to my shellcode.
    >
    > xor eax,eax
    > xor ebp,ebp
    > mov ebp,esp
    > mov eax,ebp - 190H
    > jump eax
    >
    > What I'm trying is loading esp into ebp and then moving
    > that value into eax followed by a jump eax. Tried straight
    > from esp to eax but figured out that wasn't allowed. I know
    > that the .printer exploit(jill.c) does something similar (uses
    > eax and ebx to make the jump). Any ideas?
    > Thanks,
    > Dave
    >

  • Next message: defaillance@hushmail.com: "Re: Defacement Stats"

    Relevant Pages

    • Re: Jump back to shellcode Windows overflow
      ... Have you tried putting your shellcode after the saved EIP? ... Use the fact that ESP points to just after the location of the saved ... > that value into eax followed by a jump eax. ...
      (Vuln-Dev)
    • Jump back to shellcode Windows overflow
      ... offset from ESP to hop back to my shellcode. ... that value into eax followed by a jump eax. ...
      (Vuln-Dev)
    • Re: More Buffer Overphlow Questions
      ... where esp was, and keep going until you see a bunch of nops. ... I am a little stuck when it comes to inserting the shellcode. ... >int main{ ...
      (Vuln-Dev)
    • Re: GetPC code (was: Shellcode from ASCII)
      ... make the process crash while scanning for the shellcode in memory... ... could also change nops for inc %eax, and then, if ... you knew the initial value for eax, you would know how many "nops" were ...
      (Vuln-Dev)