Buffer overflow advice
I'm currently trying to generate a buffer overflow on the version of FreeFTPD mentioned on securinfos.info, and I'm a little stuck.
I can reliably overwrite the EIP with my own value, but the overflow doesn't appear to overwrite the memory address that the ESP points to (viewed in OllyDBG). The other main thread talking about buffer overflows on this forum indicates that one can find the opcode for JMP ESP if the ESP points to somewhere in the overflowed address space but, as my ESP doesn't, can someone please provide me with advice on where to look next?
By the way, the EIP is overwritten after I pass the exception back to the program in OllyDBG several times using Shift+F7 and F9 to continue. I guess this is the way it should be done? And at this point, no other registers point to any part of the overflowed buffer either, so I don't think I can JMP EAX or anything like that...
Thanks very much,
Maybe I need to provide more information?
Some software I can successfully exploit (such as War FTPD version 1.6.5) because the ESP points to the buffer which I filled with my own bytes (for example "A"). No problems there, just calculate the correct number of bytes to control the EIP, choose a large enough buffer to include shellcode in and find the opcode to jump to the relevant register.
But I can't seem to do this for FreeFTPD - and I'm having trouble working out why. I can see that the stack pointer and base pointer don't point to the buffer, so I'm wondering what I should do next. I tried just overwriting the EIP with a memory location containing my NOOPS and shellcode, but from my reading it seem that the inclusion of 0x00 will stop, as it's a NULL byte (which is no good because all the memory addresses on the stack in Windows that contain my code contain 0x00).
Any help would be appreciated - tutorials, tips or anything. Thanks for reading.