Metasploit mailing list archives
pattern_offset.rb
From: rhyskidd at gmail.com (Rhys Kidd)
Date: Sun, 08 Apr 2007 20:17:07 +0800
Sonixxfx wrote:
Can someone tell me why pattern_offset.rb does not work with the ESP and the EBP register in this case? I have attached a picture of ollydbg for clarification.
I'm assuming the process you have used to attempt to find the location in which ESP and EBP point to in the string is something like "./pattern_offset.rb 0098FD98 1000". ESP and EBP are registers which _point_ to a location in memory. When a vulnerable string handling API was called - from memory war-ftpd uses plain old strcpy() - your long crafted string extends past the end of the target buffer, overflows any other later buffers and then finally overwrites the values of the stack pointer, base pointer and finally the saved return address. A few cycles later, the function which contained the strcpy then finishes, and attempts to return. The value of the saved return address becomes the value in EIP; however ESP and EBP continue to merely _point_ to the memory location of another portion of your long string. The values of ESP and EBP themselves are not changed by the buffer overflow. What you want to do is take the first bytes of the portion of string at ESP ("q4Aq"), convert it to hex with either an online ASCII converter or some Ruby and then feed these values into ./pattern_offset.rb In this way you will now have the location in your crafted string that eventually becomes the beginning of the location ESP points to. Under the classic approach to stack overflows you'll finally want to set your saved return address to a "jmp esp" or equivalent. - Rhys
Current thread:
- pattern_offset.rb Sonixxfx (Apr 08)
- pattern_offset.rb Rhys Kidd (Apr 08)
- pattern_offset.rb Sonixxfx (Apr 08)
- pattern_offset.rb Rhys Kidd (Apr 08)