Buffer Overflows - Help Understanding EIP and ESP Interaction

[ThePistonDoctor]

I think that's an easier way to understand it. I understand the whole process much better after moving onto the more advanced tutorials. This is good stuff. Thanks for the additional clarification as well, now it will help someone else as well!

[savioboyz]

Since the JMP address or SEH address always had to be reversed in some manner
and some '\x' added to them in series of twos..Felt kind of lazy having to do this reversing and
addition of the '\x' characters each time.
so i wrote this script to help me with the reversing and conversion.
Thought this could be useful to others thread members too... Here are the codes:

Code:

#!/usr/bin/python

import sys

def usage():
    print "Usage: %s <JMP or SEH Address>\n"%(sys.argv[0])
    print "Example: %s 0x0F9A2B7F or %s 0F9A2B7F"%(sys.argv[0],sys.argv[0])
    sys.exit()

def jmp_format(address):
    list_address = list(address)
    if len(address) == 10:
        for iterate in range(0,2):
            list_address.pop(0)
    list_address.reverse()
    jump_address = ''
    tmp_list = []
    number_first = 0
    number_second = 1
    for iterate2 in range(0,4):
        tmp_list.append(list_address[0 + number_second])
        tmp_list.append(list_address[0 + number_first])
        jump_address += '\\x%s%s'%(tmp_list[0 + number_first],tmp_list[0 + number_second]) 
        number_first += 2
        number_second += 2
    return jump_address

try:
    address = sys.argv[1]
    print(jmp_format(address))
except IndexError:
    usage()

Code:

root@bt:~# python jmp 0x0f9a33d4
\xd4\x33\x9a\x0f

Although to make it easier for me, i "chmod +x "script_name" ed the script,, then copied the script to the /bin/ directory,
so that i could run it like any normal inbuilt
unix commands like ls,ping,cat etc..... this is optional though

Code:

root@bt:~# jmp 0x0f9a33d4
\xd4\x33\x9a\x0f

[ThePistonDoctor]

ha, that's pretty slick. Now if only I had the time to write enough buffer overflow exploits to actually use it, that would be nice ...lol

Cool script anyway, thanks for sharing, it'll come in handy.

[sickness]

I usually prefer to do everything manual unless I don't have enough time, the main reason is that after a while you use automation tools/scripts you start forgetting how to do it manually and these tools/scripts don't always work

[t4tm0h]

Hey I want to seriously thank you guys for putting this together. Great stuff!

For whatever reason, I think I have obtained most of the critical aspects of pentesting, but learning to create exploits is THE most challenging thing i've come across. Even if I do learn/master exploit development, i will always appreciate good hands on tutorials on the subject.

I do have a few questions, and they're noob questions so please excuse me if they are dumb questions. Are there going to be fewer buffer overflow exploits on 64 bit systems? What type of exploits are the mainstream on 64 bit systems?

[orgcandman]

I usually prefer to do everything manual unless I don't have enough time, the main reason is that after a while you use automation tools/scripts you start forgetting how to do it manually and these tools/scripts don't always work

+1 to this.

Your jmp calculator is really a 32-bit endian reverse.

[falseteeth]

Hey I want to seriously thank you guys for putting this together. Great stuff!

For whatever reason, I think I have obtained most of the critical aspects of pentesting, but learning to create exploits is THE most challenging thing i've come across. Even if I do learn/master exploit development, i will always appreciate good hands on tutorials on the subject.

Exploits are complicated enough, but they get far more complicated when you're dealing with things like DEP, ASLR, heap spray protection, Export Address Table Access Filtering (EAF) and much more. The people who can write remote (or even local) exploits that bypass all that successfully are pretty much gods.