Page 3 of 3 FirstFirst 123
Results 21 to 27 of 27

Thread: Buffer Overflows - Help Understanding EIP and ESP Interaction

  1. #21
    Member
    Join Date
    Jun 2009
    Posts
    74

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    I think that's an easier way to understand it. I understand the whole process much better after moving onto the more advanced tutorials. This is good stuff. Thanks for the additional clarification as well, now it will help someone else as well!
    cd ~
    cd ./fridge
    rm beer
    cd ../bedroom
    more beer

  2. #22
    Senior Member savioboyz's Avatar
    Join Date
    Oct 2010
    Location
    Nigeria
    Posts
    118

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Since the JMP address or SEH address always had to be reversed in some manner
    and some '\x' added to them in series of twos..Felt kind of lazy having to do this reversing and
    addition of the '\x' characters each time.
    so i wrote this script to help me with the reversing and conversion.
    Thought this could be useful to others thread members too... Here are the codes:

    Code:
    #!/usr/bin/python
    
    import sys
    
    def usage():
        print "Usage: %s <JMP or SEH Address>\n"%(sys.argv[0])
        print "Example: %s 0x0F9A2B7F or %s 0F9A2B7F"%(sys.argv[0],sys.argv[0])
        sys.exit()
    
    def jmp_format(address):
        list_address = list(address)
        if len(address) == 10:
            for iterate in range(0,2):
                list_address.pop(0)
        list_address.reverse()
        jump_address = ''
        tmp_list = []
        number_first = 0
        number_second = 1
        for iterate2 in range(0,4):
            tmp_list.append(list_address[0 + number_second])
            tmp_list.append(list_address[0 + number_first])
            jump_address += '\\x%s%s'%(tmp_list[0 + number_first],tmp_list[0 + number_second]) 
            number_first += 2
            number_second += 2
        return jump_address
    
    try:
        address = sys.argv[1]
        print(jmp_format(address))
    except IndexError:
        usage()

    Code:
    root@bt:~# python jmp 0x0f9a33d4
    \xd4\x33\x9a\x0f
    Although to make it easier for me, i "chmod +x "script_name" ed the script,, then copied the script to the /bin/ directory,
    so that i could run it like any normal inbuilt
    unix commands like ls,ping,cat etc..... this is optional though


    Code:
    root@bt:~# jmp 0x0f9a33d4
    \xd4\x33\x9a\x0f
    Last edited by savioboyz; 01-08-2011 at 08:25 PM.
    Saviour Emmauel Ekiko

  3. #23
    Member
    Join Date
    Jun 2009
    Posts
    74

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    ha, that's pretty slick. Now if only I had the time to write enough buffer overflow exploits to actually use it, that would be nice ...lol

    Cool script anyway, thanks for sharing, it'll come in handy.
    cd ~
    cd ./fridge
    rm beer
    cd ../bedroom
    more beer

  4. #24
    Administrator sickness's Avatar
    Join Date
    Jan 2010
    Location
    Behind the screen.
    Posts
    2,921

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    I usually prefer to do everything manual unless I don't have enough time, the main reason is that after a while you use automation tools/scripts you start forgetting how to do it manually and these tools/scripts don't always work
    Back|track giving machine guns to monkeys since 2007 !

    Do not read the Wiki, most your questions will not be answered there !
    Do not take a look at the: Forum Rules !

  5. #25
    Just burned his ISO t4tm0h's Avatar
    Join Date
    Sep 2010
    Location
    Wudangshan
    Posts
    13

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Hey I want to seriously thank you guys for putting this together. Great stuff!

    For whatever reason, I think I have obtained most of the critical aspects of pentesting, but learning to create exploits is THE most challenging thing i've come across. Even if I do learn/master exploit development, i will always appreciate good hands on tutorials on the subject.

    I do have a few questions, and they're noob questions so please excuse me if they are dumb questions. Are there going to be fewer buffer overflow exploits on 64 bit systems? What type of exploits are the mainstream on 64 bit systems?

  6. #26
    Member
    Join Date
    Jan 2010
    Posts
    70

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Quote Originally Posted by sickness View Post
    I usually prefer to do everything manual unless I don't have enough time, the main reason is that after a while you use automation tools/scripts you start forgetting how to do it manually and these tools/scripts don't always work
    +1 to this.

    Your jmp calculator is really a 32-bit endian reverse.

  7. #27
    Junior Member
    Join Date
    Aug 2010
    Posts
    34

    Default Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

    Quote Originally Posted by t4tm0h View Post
    Hey I want to seriously thank you guys for putting this together. Great stuff!

    For whatever reason, I think I have obtained most of the critical aspects of pentesting, but learning to create exploits is THE most challenging thing i've come across. Even if I do learn/master exploit development, i will always appreciate good hands on tutorials on the subject.
    Exploits are complicated enough, but they get far more complicated when you're dealing with things like DEP, ASLR, heap spray protection, Export Address Table Access Filtering (EAF) and much more. The people who can write remote (or even local) exploits that bypass all that successfully are pretty much gods.

Page 3 of 3 FirstFirst 123

Similar Threads

  1. Replies: 0
    Last Post: 11-29-2010, 06:34 AM
  2. A question about buffer overflows...
    By drakoth777 in forum OLD Pentesting
    Replies: 2
    Last Post: 03-24-2009, 08:22 PM
  3. Heap overflows
    By compaq in forum OLD Newbie Area
    Replies: 2
    Last Post: 12-06-2008, 01:04 AM
  4. Stack Overflows using Python
    By Pako_Guitar in forum OLD Programming
    Replies: 0
    Last Post: 10-01-2008, 01:18 PM
  5. Aireplay-ng overflows my IPW3945? Possible?
    By DraveThe in forum OLD Newbie Area
    Replies: 0
    Last Post: 01-12-2008, 08:33 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •