Have you tried putting your shellcode after the saved EIP? Use the fact that ESP points to just after the location of the saved EIP as a blessing and just put your shellcode at the end. [ 396 bytes padding ] [ RET ] [NOP*] [ SHELLCODE ] You'll often have more room for your shellcode after the saved return address anyway. Have fun, -Dino On Monday, April 21, 2003, at 09:50 PM, <chaboyd77at_private> wrote: > > > I'm practicing developing Windows Buffer Overflows and > have run into a slight snag. When I overwrite EIP with > the address of "jmp ESP" I land below my shellcode instead > of where the top of the stack used to be: > > <-----------400 bytes--------> > [NOP's........Shellcode...EIP..*<-code jumps here**] > > This didn't seem right but I figured that I'd use an > offset from ESP to hop back to my shellcode. > > xor eax,eax > xor ebp,ebp > mov ebp,esp > mov eax,ebp - 190H > jump eax > > What I'm trying is loading esp into ebp and then moving > that value into eax followed by a jump eax. Tried straight > from esp to eax but figured out that wasn't allowed. I know > that the .printer exploit(jill.c) does something similar (uses > eax and ebx to make the jump). Any ideas? > Thanks, > Dave > > -- Dino Dai Zovi / ddzat_private / www.theta44.org "Bein' Crazy is the least of my worries." - Jack Kerouac C439 2B06 D8D2 A2D8 1ABB 0A55 A61D 9057 63F5 9B1F
This archive was generated by hypermail 2b30 : Wed Apr 23 2003 - 14:29:57 PDT