Vulnerability Development mailing list archives
Re: exploit coding
From: "ConKing" <Connection_king () busch-hacker de>
Date: Mon, 18 Jun 2001 19:46:34 +0200
Did I understand it right... you want to know how to get the right offset.. It shouldn't be any problem, just sp - buffers (size) which is stored in the stack... now where's your problem to get the offset to the vuln buffer ????? If you filled everything with NOPs it shouldn't really be no problem... sincerely Robin ---------------------------------------------------------------------------- -------------------------------------- visit: www.usad.li -----Ursprungliche Nachricht----- Von: roland kwitt [mailto:sniper () f1lesystem net] Gesendet: Sonntag, 17. Juni 2001 21:34 An: VULN-DEV () securityfocus com Betreff: exploit coding hi folks, here i am again with a question on writing exploits! my problem is that in the last exploit i wrote the buffer i overflowed was the first variable in the program - so i was not further difficult to guess the offset. now i found a buffer overflow problem in a litte program my friend wrote - a dynamic dns entry updater (runs as setuid root). the variable is now no longer in first place. in my last exploit i used the function sp() to get the stack pointer and wanted the user to enter the offset. Now i calculated the return address subtraction the offset from the stack pointer. generally the value 0 was ok for the offset and my exploit worked as i wanted it. can anybody tell me how i can guess the offset and how to calculate the return address if the variable is not the first one in the program? piece of code from an exploit!! offset = atoi(argv[1]); esp = sp(); #get stack pointer ret = esp-offset; thanks, sniper sniper () f1lesystem net
Current thread:
- exploit coding roland kwitt (Jun 18)
- Re: exploit coding Sebastian (Jun 18)
- <Possible follow-ups>
- Re: Exploit Coding Don Tansey (Jun 18)
- Re: exploit coding ConKing (Jun 18)
- Re: exploit coding Olivier Gay (Jun 19)