Results 1 to 10 of 13

Thread: exploit write, small jump

Hybrid View

  1. #1
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default exploit write, small jump

    Hi, I'm trying to workout how to do a small jump. I'm useing the opcode eb, and would like jump 10 instruction.
    do I have to add a offset or linear number in frount or behind it?

  2. #2
    Junior Member
    Join Date
    Jul 2009
    Posts
    37

    Default

    geek32 edition | X86 Opcode and Instruction Reference 1.10

    really good site i found, VERY useful for shellcoding/exploit dev, sorry i dont have time to search it for you

  3. #3
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Thanks b3r00tb4ck

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Its '\eb\0a' for future reference. Be careful though because '\0a' is often a restricted character for buffer overflows.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    This is along the same lines, olly is showing up 75e00000 refenced memory at 41414141 .
    I have tryed point the memory location to some locations.
    When I ran the exploit to the crash, i then run again, and then olly dies.

    Any help would be appracted
    thanks

  6. #6
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Need some more details about what you are doing and what exactly changed between the overwrite with \x41 and the time where you tried to point the crash location elsewhere. Also, what do you mean when you say Olly dies?

    Do you know what type of overwrite this is? Stack based? Direct EIP or SEH? How you are feeding the buffer to the program (STDIN, network socket?)

    Perhaps give a step by step of what your buffer contains during the \41 overwrite and when you try to point the buffer to a particular location, exactly what Olly does in response to each buffer.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  7. #7
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Need some more details about what you are doing and what exactly changed between the overwrite with \x41 and the time where you tried to point the crash location elsewhere. Also, what do you mean when you say Olly dies?

    Do you know what type of overwrite this is? Stack based? Direct EIP or SEH? How you are feeding the buffer to the program (STDIN, network socket?)

    Perhaps give a step by step of what your buffer contains during the \41 overwrite and when you try to point the buffer to a particular location, exactly what Olly does in response to each buffer.
    It calls seh, I send it to the progam with a network socket. Eip is the address of a cmp [ecx],eax were ecx conatins 41414141.
    after it shows up saying tryed to refence memory, i click run it comes up again, i then hit run and olly closes(not in task bar)
    There are a coulpe of place in the program were safeseh is off.

  8. #8
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by compaq View Post
    It calls seh, I send it to the progam with a network socket. Eip is the address of a cmp [ecx],eax were ecx conatins 41414141.
    after it shows up saying tryed to refence memory, i click run it comes up again, i then hit run and olly closes(not in task bar)
    There are a coulpe of place in the program were safeseh is off.
    Ive never had Olly do that to me before. Are you using the default config?

    If you are doing an SEH overwrite, why don't you try and use a POP, POP, RET, thats the usual way to get code execution.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  9. #9
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Ive never had Olly do that to me before. Are you using the default config?

    If you are doing an SEH overwrite, why don't you try and use a POP, POP, RET, thats the usual way to get code execution.
    My sound a bit.. Do i add the address of the start of a pop pop ret into ecx, as. like 77c40000? , I have try things like that push ecx,call , as well has a short jump, all just display the string of the commands at address 77c40000 in ecx.
    It goes into the exception handler, but ecx just gets zeroed out

  10. #10
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by lupin View Post
    Ive never had Olly do that to me before. Are you using the default config?
    Anti-debugging code will do that - Immunity Debugger has a !hidedbg command (misspellings may apply).
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •