win32 bof question

From: ma1ler_deamon (ma1ler_deamon_at_yahoo.com)
Date: 11/24/03

  • Next message: Brett Moore: "RE: win32 bof question" 
    Date: Mon, 24 Nov 2003 10:26:21 -0800 (PST)
To: Vuln-Dev@securityfocus.com

    I am trying to wrap my brain around some shell code
    stuff and ran into
    something that isnt making much sense yet.

    I have a function

    void test3(void){
            char buf[3];

            buf[0]=0x90;
            buf[1]=0x90;
            buf[2]=0xe9;
            buf[3]=0x40;
            buf[4]=0x11;
            buf[5]=0x40;
            buf[6]=0x00;
            buf[7]=0x00;

            //set eip on stack to be loc of buf[0]
            buf[8]= 0x24;
            buf[9]= 0xff;
            buf[10]= 0x12;
            buf[11]= 0x00;

    }

    buf 8-11 is overwriting saved eip with the location of
    buf[0]
    buf 0-7 is my super simple (yet still failing) shell
    code

    what I am trying to do is to jump to a function called
    "never_really_called"
    located at memory offset 0000401140

    I have tried several things to get the right opcodes
    for this jmp, first I tried

    __asm{
            jmp never_really_called //E9 FE 59 FF FF
    };

    inline in the function and then extracted the opcodes
    in the debugger...
    which I thought would give me the right result, but
    didnt..

    then I opened a random exe in hiew and changed the
    first instruction to jmp 401140
    in asm mode and grabbed the opcodes..but that wasnt
    quite right either..

    as is in the example the E9 40 11 40 00 00 shows up
    right in the dsm view
    of the debugger, as a "jmp never_really_called
    (401140)" but then when the jump
    actually happens...I find myself at 53106b

    I have to be missing something simple...any words of
    wisdom?

    I am using vc6 w/ debug config

    __________________________________
    Do you Yahoo!?
    Free Pop-Up Blocker - Get it now
    http://companion.yahoo.com/

  • Next message: Brett Moore: "RE: win32 bof question"