Results 1 to 2 of 2

Thread: BoF Exploit Windows XP SP0

  1. #1
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    1

    Default BoF Exploit Windows XP SP0

    Hi,

    Sorry for double-posting in the other thread! I missed the fact that my posts have to be approved by a mod and thought my first post would have been lost.

    I have the task to demonstrate a buffer overflow with Windows XP (NO service pack installed). There are several tutorials on how to do this on the net. So I just wrote some vulnerable piece of C++ server code including:

    char test[20];
    ...
    strcpy( test, attackerstring);

    where "attackerstring" is the ordinary much too long string passed by the client (some hundred "A" characters). The BoF seems to work and will crash the application. I am also able to overwrite both EAX and ECX (take a look at the screenshot below). However, I am not able to overwrite the crucial EIP, regardless how ridiculously long the string of "A" characters is. 100 do not work, 500 do not work, 2000+ do not work. It doesn't help either to let OllyDbg pass the exception to my programme.

    SCREENSHOT: img101.imageshack.us/img101/5986/ollydbg.jpg

    The exploit is running on VMWare Player 2.53 & Windows XP SP 0. All tutorials and forum posts I have browsed require me to access the EIP. Does anybody have an idea why it is not working for me? I'm really despaired by now.

    Thanks for your efforts, m.

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Make sure the overflow occurs inside a function and not inside main, as demonstrated in the code below. This will ensure that the overflow occurs on the stack which allows the return address fed to EIP when the function exits to be overwritten.

    A buffer of 28 A characters will overwrite EIP for the code below.

    Code:
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
    
    void function(char *input) {
    	char buffer[20];
    	strcpy(buffer, input);  //overflow here, when function returns to main the return address can be overwritten
    }
    
    int main(int argc, char *argv[]) {
    	function(argv[1]);
    	return 0;
    }
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •