RE: win32 bof question

["Brett Moore" <brett () softwarecreations co nz>]

Hi,

The JMP you are trying to use is executed relative to the start position, as
can
be seen in the following. The second operand of the jmp instruction
instructs
the cpu the distance to jump.

0012EA4D EB 01                jmp         0012EA50                      // jmp 1 byte to tester
0012EA4F 90                   nop                                               // spacer
0012EA50 B9 0F 04 17 01       mov         ecx,117040Fh          // tester:

0012EA4D EB 07                jmp         0012EA56                      // jmp 7 bytes to
tester
0012EA4F 90                   nop
0012EA50 90                   nop
0012EA51 90                   nop
0012EA52 90                   nop
0012EA53 90                   nop
0012EA54 90                   nop
0012EA55 90                   nop
0012EA56 B9 0F 04 17 01       mov         ecx,117040Fh          // tester

> I have tried several things to get the right opcodes for this jmp, first I
tried
> __asm{
>       jmp never_really_called  //E9 FE 59 FF FF
> };

Would give you the correct opcodes to jmp to the function FROM the position
where
this was executed. So will not give you the correct opcodes required.

> what I am trying to do is to jump to a function called
"never_really_called"
> located at memory offset 0000401140
If you know that this is located at this 'static' location you can reach it
thru
ways similiar to;
        push 0x0000401140                       (It has nulls tho)
        ret
or
        mov ecx,0x0000401140            (It has nulls tho)
        jmp/call ecx

or you could work out the distance between 'never_really_called' and the
position
of the jmp instruction to use a JMP <distance>. But that is not really
effective
as under a real overflow situation the shellcode is 'usually' in an unknown
location
and therefore relative offsets can't be used to jump into code that is not
part of
your code, even if you do find yourself.
0012EA4D 68 5F 57 C3 AC       push        0ACC3575Fh
0012EA52 FF D4                call        esp

Regards
Brett

-----Original Message-----
From: ma1ler_deamon [mailto:ma1ler_deamon () yahoo com]
Sent: Tuesday, November 25, 2003 7:26 AM
To: Vuln-Dev () securityfocus com
Subject: win32 bof question



I am trying to wrap my brain around some shell code
stuff and ran into
something that isnt making much sense yet.


I have a function

void test3(void){
        char buf[3];

        buf[0]=0x90;
        buf[1]=0x90;
        buf[2]=0xe9;
        buf[3]=0x40;
        buf[4]=0x11;
        buf[5]=0x40;
        buf[6]=0x00;
        buf[7]=0x00;

        //set eip on stack to be loc of buf[0]
        buf[8]= 0x24;
        buf[9]= 0xff;
        buf[10]= 0x12;
        buf[11]= 0x00;

}

buf 8-11 is overwriting saved eip with the location of
buf[0]
buf 0-7 is my super simple (yet still failing) shell
code

what I am trying to do is to jump to a function called
"never_really_called"
located at memory offset 0000401140

I have tried several things to get the right opcodes
for this jmp, first I tried

__asm{
        jmp never_really_called  //E9 FE 59 FF FF
};

inline in the function and then extracted the opcodes
in the debugger...
which I thought would give me the right result, but
didnt..

then I opened a random exe in hiew and changed the
first instruction to jmp 401140
in asm mode and grabbed the opcodes..but that wasnt
quite right either..

as is in the example the E9 40 11 40 00 00 shows up
right in the dsm view
of the debugger, as a "jmp never_really_called
(401140)" but then when the jump
actually happens...I find myself at 53106b

I have to be missing something simple...any words of
wisdom?

I am using vc6 w/ debug config

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/