Results 1 to 3 of 3

Thread: A question about buffer overflows...

  1. #1
    Member
    Join Date
    May 2008
    Posts
    190

    Default A question about buffer overflows...

    Why is it better to put a memory address that points to a 'jmp to esp' call of a Windows DLL in the EIP, which would in turn, have EIP run a jump to the ESP, which would in turn point to the start of shellcode, instead of just putting a memory address that points to the ESP in the EIP, that way EIP goes directly to ESP and then gets directed to the shellcode?

    Could you give some examples of why that wouldn't work?

  2. #2
    Junior Member
    Join Date
    Aug 2007
    Posts
    55

    Default

    Because ESP is not always the same and the jmp ESP address in the particular DLL is (except with vista which has ASLR).

  3. #3
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Quote Originally Posted by drakoth777 View Post
    Why is it better to put a memory address that points to a 'jmp to esp' call of a Windows DLL in the EIP, which would in turn, have EIP run a jump to the ESP, which would in turn point to the start of shellcode, instead of just putting a memory address that points to the ESP in the EIP, that way EIP goes directly to ESP and then gets directed to the shellcode?

    Could you give some examples of why that wouldn't work?
    The address is different from time to time also depending on the system. Same goes for the jmp address. That's why you should try to use one of the DLL's coming with the application if possible instead of a Windows DLL since the offsets are differnt with different languages.
    Tiocfaidh ár lá

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •