Results 1 to 3 of 3

Thread: [HELP]Writing an exploit

  1. #1
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default [HELP]Writing an exploit

    Hi every one ! After reading Lupin's tutorial about buffer overflow exploits, and suceeding in repeating the process, I wanted to try on my own.

    So, I chose a program in which I found an exception, overwriting the EIP. I also found a JMP ESP to point the EIP to but, here comes the problem :
    the address of the JMP ESP is 77A673D5 which should translate to Õs|M (inverted here).
    The problem is that the program reads Õ as E5 and not D5 as it should according to hex tables... and the next char (Ö) translates to 99 instead of D6. "|" translates to 7C instead of A6

    I also found two other JMP ESPs but one also contains Õ and | and the other one the control character ^B which I don't even know how to "write".

    I searched google for maybe different tables but nothing conclusive. So, do you have any idea how I could pass those hex values to the program ?

    Any idea would be very much appreciated ! Thanks for reading me !

    (meanwhile I'll keep trying different chars but that might take a long time...)
    Running both KDE and GNOME BT5 flawlessly. Thank you !

  2. #2
    Senior Member
    Join Date
    Jul 2009
    Posts
    135

    Default Re: [HELP]Writing an exploit

    Try to use the techniques that lupin outlined in his early tutorials regarding finding bad characters. Some buffers may translate certain characters or can just break the exploit. Once you know what the bad chars are, you can then search for a jmp esp instruction address that doesn't contain any of these bad chars.

  3. #3
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re : Re: [HELP]Writing an exploit

    Quote Originally Posted by aerokid240 View Post
    Try to use the techniques that lupin outlined in his early tutorials regarding finding bad characters. Some buffers may translate certain characters or can just break the exploit. Once you know what the bad chars are, you can then search for a jmp esp instruction address that doesn't contain any of these bad chars.
    I did check that, but the problem was the charset in use. I found out that instead of using Unicode i should have used DOS-western europe. Anyway, thanks for answering !

    Now the problem is about the payload, I chose raw output but I assume this is unicode (I could find a way to "translate" that though). The problem is the line break ; I tried passing \n ^n as bad chars, but I still get line breaks... which I really cannot have. I'll check again if a unicode line break could be a "real" char in DOS but I doubt it.

    Again, any idea would be appreciated !
    Running both KDE and GNOME BT5 flawlessly. Thank you !

Similar Threads

  1. Exploit writing made easy with !pvefindaddr.
    By sickness in forum Experts Forum
    Replies: 2
    Last Post: 02-07-2011, 04:20 AM
  2. Replies: 0
    Last Post: 03-24-2010, 10:01 PM
  3. First Time Writing a BoF Exploit (Stuck)
    By oib111 in forum OLD Pentesting
    Replies: 42
    Last Post: 10-26-2009, 11:40 PM
  4. Replies: 2
    Last Post: 02-08-2009, 09:41 AM
  5. Replies: 17
    Last Post: 12-17-2008, 08:22 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •