pattern_offset.rb

[rhyskidd at gmail.com (Rhys Kidd)]

Sonixxfx wrote:
> Can someone tell me why pattern_offset.rb does not work with the ESP
> and the EBP register in this case? I have attached a picture of
> ollydbg for clarification.
I'm assuming the process you have used to attempt to find the location
in which ESP and EBP point to in the string is something like
"./pattern_offset.rb 0098FD98 1000".

ESP and EBP are registers which _point_ to a location in memory.

When a vulnerable string handling API was called - from memory war-ftpd
uses plain old strcpy() - your long crafted string extends past the end
of the target buffer, overflows any other later buffers and then finally
overwrites the values of the stack pointer, base pointer and finally the
saved return address.

A few cycles later, the function which contained the strcpy then
finishes, and attempts to return. The value of the saved return address
becomes the value in EIP; however ESP and EBP continue to merely _point_
to the memory location of another portion of your long string. The
values of ESP and EBP themselves are not changed by the buffer overflow.

What you want to do is take the first bytes of the portion of string at
ESP ("q4Aq"), convert it to hex with either an online ASCII converter or
some Ruby and then feed these values into ./pattern_offset.rb

In this way you will now have the location in your crafted string that
eventually becomes the beginning of the location ESP points to. Under
the classic approach to stack overflows you'll finally want to set your
saved return address to a "jmp esp" or equivalent.

- Rhys