Vulnerability Development mailing list archives
RE: win32 bof question
From: "Brett Moore" <brett () softwarecreations co nz>
Date: Tue, 25 Nov 2003 11:11:40 +1300
Hi, The JMP you are trying to use is executed relative to the start position, as can be seen in the following. The second operand of the jmp instruction instructs the cpu the distance to jump. 0012EA4D EB 01 jmp 0012EA50 // jmp 1 byte to tester 0012EA4F 90 nop // spacer 0012EA50 B9 0F 04 17 01 mov ecx,117040Fh // tester: 0012EA4D EB 07 jmp 0012EA56 // jmp 7 bytes to tester 0012EA4F 90 nop 0012EA50 90 nop 0012EA51 90 nop 0012EA52 90 nop 0012EA53 90 nop 0012EA54 90 nop 0012EA55 90 nop 0012EA56 B9 0F 04 17 01 mov ecx,117040Fh // tester
I have tried several things to get the right opcodes for this jmp, first I
tried
__asm{ jmp never_really_called //E9 FE 59 FF FF };
Would give you the correct opcodes to jmp to the function FROM the position where this was executed. So will not give you the correct opcodes required.
what I am trying to do is to jump to a function called
"never_really_called"
located at memory offset 0000401140
If you know that this is located at this 'static' location you can reach it thru ways similiar to; push 0x0000401140 (It has nulls tho) ret or mov ecx,0x0000401140 (It has nulls tho) jmp/call ecx or you could work out the distance between 'never_really_called' and the position of the jmp instruction to use a JMP <distance>. But that is not really effective as under a real overflow situation the shellcode is 'usually' in an unknown location and therefore relative offsets can't be used to jump into code that is not part of your code, even if you do find yourself. 0012EA4D 68 5F 57 C3 AC push 0ACC3575Fh 0012EA52 FF D4 call esp Regards Brett -----Original Message----- From: ma1ler_deamon [mailto:ma1ler_deamon () yahoo com] Sent: Tuesday, November 25, 2003 7:26 AM To: Vuln-Dev () securityfocus com Subject: win32 bof question I am trying to wrap my brain around some shell code stuff and ran into something that isnt making much sense yet. I have a function void test3(void){ char buf[3]; buf[0]=0x90; buf[1]=0x90; buf[2]=0xe9; buf[3]=0x40; buf[4]=0x11; buf[5]=0x40; buf[6]=0x00; buf[7]=0x00; //set eip on stack to be loc of buf[0] buf[8]= 0x24; buf[9]= 0xff; buf[10]= 0x12; buf[11]= 0x00; } buf 8-11 is overwriting saved eip with the location of buf[0] buf 0-7 is my super simple (yet still failing) shell code what I am trying to do is to jump to a function called "never_really_called" located at memory offset 0000401140 I have tried several things to get the right opcodes for this jmp, first I tried __asm{ jmp never_really_called //E9 FE 59 FF FF }; inline in the function and then extracted the opcodes in the debugger... which I thought would give me the right result, but didnt.. then I opened a random exe in hiew and changed the first instruction to jmp 401140 in asm mode and grabbed the opcodes..but that wasnt quite right either.. as is in the example the E9 40 11 40 00 00 shows up right in the dsm view of the debugger, as a "jmp never_really_called (401140)" but then when the jump actually happens...I find myself at 53106b I have to be missing something simple...any words of wisdom? I am using vc6 w/ debug config __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/
Current thread:
- win32 bof question ma1ler_deamon (Nov 24)
- RE: win32 bof question Brett Moore (Nov 24)