Re: Half-Life client buffer overflow
From: xenophi1e (oliver.lavery_at_sympatico.ca)
Date: 09/11/03
- Previous message: Seva Batkin: "RE: Ethernet ( MAC ) Address Reliability"
- Maybe in reply to: eip_ger_at_yahoo.de: "Half-Life client buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 11 Sep 2003 16:10:48 -0000 To: vuln-dev@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <20030909100220.26939.qmail@sf-www1-symnsj.securityfocus.com>
Try figuring out if it's always the same location that gets changed, or
if it's the values of the bytes in the shellcode that cause the change.
Insert a bunch of NOPs before the instructions that change and see if the
NOPs get damaged, in which case it's the location that counts, or the
instructions which follow them, in which case it's the values that count.
In the former case you just have to JMP over the corruption or something.
In the later you have to find opcodes that don't get hosed.
~x
>i tried to write my own exploit for the buffer overflow in the Half-Life
>client (Counter-Strike mod) up to Version 1.1.1.0 (Half-Life).
>I overflow the buffer, jump to my shellcode, but everytime some bytes
are
>changed.
>In my shellcode are two calls and always after the first call are some
>bytes changed, when i look at the stack, after the overflow. With a
>debugger i can find my shellcode on the stack and it is executed but
only
>to the first call. After the call opcodes, some bytes (four, five or
six)
>are changed and then the rest of my shellcode is ok.
>Is the opcode for a call maybe a escape sequence for Half-Life so that
it
>changes some values that are following?
>Can someone help me, please?
>
- Previous message: Seva Batkin: "RE: Ethernet ( MAC ) Address Reliability"
- Maybe in reply to: eip_ger_at_yahoo.de: "Half-Life client buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
