On Fri, 11 Apr 2003 15:16:11 -0400, Aaron C. Newman (Application Security, Inc.) wrote: >The payload is not written directly to ESP or EBP so I can not simply >call somewhere in the program where there is a "call esp" or "jmp esp". >One of the areas overwritten does seem to be consistently written to ESP >+ 0x1D00 or EBP + 0x1D10 so I was hoping to find someplace in code where >it executes: >add esp, 0x1D00 >jmp esp Sometimes you'll find you can control a dword further down the stack, then you can find an add esp, 0x100, retn to get you there, then again find another dword a bit further down that you control, so you end up 'hopping' down the stack. But I doubt it would work in your case, 0x1D00 is a long way to go. The other thing to look for is a bit of static memory you can control, it need only be a few bytes long.. enough to put an add esp, 0x1d00 retn in. Then jump there. If your target app is single threaded (or your overflow is always in the first thread) you may even find a good bit of 'static' memory further down the stack. In my experience the first thread always gets a stack based at the same address (0x00140000) tho it may be OS version specific. - Blazde
This archive was generated by hypermail 2b30 : Sat Apr 12 2003 - 12:48:48 PDT