# Thread: Buffer Overflows - Help Understanding EIP and ESP Interaction

1. ## Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

I think that's an easier way to understand it. I understand the whole process much better after moving onto the more advanced tutorials. This is good stuff. Thanks for the additional clarification as well, now it will help someone else as well!

2. ## Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

Since the JMP address or SEH address always had to be reversed in some manner
and some '\x' added to them in series of twos..Felt kind of lazy having to do this reversing and
addition of the '\x' characters each time.
so i wrote this script to help me with the reversing and conversion.
Thought this could be useful to others thread members too... Here are the codes:

Code:
```#!/usr/bin/python

import sys

def usage():
print "Usage: %s <JMP or SEH Address>\n"%(sys.argv[0])
print "Example: %s 0x0F9A2B7F or %s 0F9A2B7F"%(sys.argv[0],sys.argv[0])
sys.exit()

def jmp_format(address):
list_address = list(address)
if len(address) == 10:
for iterate in range(0,2):
list_address.pop(0)
list_address.reverse()
jump_address = ''
tmp_list = []
number_first = 0
number_second = 1
for iterate2 in range(0,4):
tmp_list.append(list_address[0 + number_second])
tmp_list.append(list_address[0 + number_first])
jump_address += '\\x%s%s'%(tmp_list[0 + number_first],tmp_list[0 + number_second])
number_first += 2
number_second += 2
return jump_address

try:
address = sys.argv[1]
print(jmp_format(address))
except IndexError:
usage()```

Code:
```root@bt:~# python jmp 0x0f9a33d4
\xd4\x33\x9a\x0f```
Although to make it easier for me, i "chmod +x "script_name" ed the script,, then copied the script to the /bin/ directory,
so that i could run it like any normal inbuilt
unix commands like ls,ping,cat etc..... this is optional though

Code:
```root@bt:~# jmp 0x0f9a33d4
\xd4\x33\x9a\x0f```

3. ## Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

ha, that's pretty slick. Now if only I had the time to write enough buffer overflow exploits to actually use it, that would be nice ...lol

Cool script anyway, thanks for sharing, it'll come in handy.

4. ## Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

I usually prefer to do everything manual unless I don't have enough time, the main reason is that after a while you use automation tools/scripts you start forgetting how to do it manually and these tools/scripts don't always work

5. ## Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

Hey I want to seriously thank you guys for putting this together. Great stuff!

For whatever reason, I think I have obtained most of the critical aspects of pentesting, but learning to create exploits is THE most challenging thing i've come across. Even if I do learn/master exploit development, i will always appreciate good hands on tutorials on the subject.

I do have a few questions, and they're noob questions so please excuse me if they are dumb questions. Are there going to be fewer buffer overflow exploits on 64 bit systems? What type of exploits are the mainstream on 64 bit systems?

6. ## Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

Originally Posted by sickness
I usually prefer to do everything manual unless I don't have enough time, the main reason is that after a while you use automation tools/scripts you start forgetting how to do it manually and these tools/scripts don't always work
+1 to this.

Your jmp calculator is really a 32-bit endian reverse.

7. ## Re: Buffer Overflows - Help Understanding EIP and ESP Interaction

Originally Posted by t4tm0h
Hey I want to seriously thank you guys for putting this together. Great stuff!

For whatever reason, I think I have obtained most of the critical aspects of pentesting, but learning to create exploits is THE most challenging thing i've come across. Even if I do learn/master exploit development, i will always appreciate good hands on tutorials on the subject.
Exploits are complicated enough, but they get far more complicated when you're dealing with things like DEP, ASLR, heap spray protection, Export Address Table Access Filtering (EAF) and much more. The people who can write remote (or even local) exploits that bypass all that successfully are pretty much gods.

#### Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•