Hi. On Sun, Jun 17, 2001 at 09:34:13PM +0200, roland kwitt wrote: > the variable is now no longer in first place. in my last exploit i used > the function sp() to get the stack pointer and wanted the user to enter > the offset. Now i calculated the return address subtraction the offset > from the stack pointer. generally the value 0 was ok for the offset and my > exploit worked as i wanted it. > can anybody tell me how i can guess the offset and how to calculate the > return address if the variable is not the first one in the program? Well generally there is no completely safe way to do this. My first recommendation is to drop the "movl %esp, %eax; ret" approach completely and use fixed offsets instead. There are some exceptions (old sparcs for example), where it is necessary to get an approximate stack address, but in this case its not. The most important factor in your case seems to be the size of the environment, which happens to be located near the stack top, above the first function frame. Either get rid of it completely (execve with NULL environment or an empty environment), or stick your shellcode there. If you use large nop gaps before, as shown in aleph1's classic stack smash paper, you will have success with it in most cases. If you cannot modify the environment or the setuid program modifies/complains-about it, you should go for the fixed-base-offset and addent approach. I see no reason why a esp-getting approach should be superior to a hardcoded offset on the x86 with fixed stackbase. Btw, how big is the buffer you overflow ? > thanks, sniper > sniperat_private ciao, -scut -- -. scutat_private-berlin.de -. + http://segfault.net/~scut/ `--------------------. -' segfault.net/~scut/pgp `' 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07 `- AFIWC control and information seized. awaiting orders. hi echelon --------'
This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 15:06:59 PDT