BoF Exploit Windows XP SP0

[mayfly]

Hi,

Sorry for double-posting in the other thread! I missed the fact that my posts have to be approved by a mod and thought my first post would have been lost.

I have the task to demonstrate a buffer overflow with Windows XP (NO service pack installed). There are several tutorials on how to do this on the net. So I just wrote some vulnerable piece of C++ server code including:

char test[20];
...
strcpy( test, attackerstring);

where "attackerstring" is the ordinary much too long string passed by the client (some hundred "A" characters). The BoF seems to work and will crash the application. I am also able to overwrite both EAX and ECX (take a look at the screenshot below). However, I am not able to overwrite the crucial EIP, regardless how ridiculously long the string of "A" characters is. 100 do not work, 500 do not work, 2000+ do not work. It doesn't help either to let OllyDbg pass the exception to my programme.

SCREENSHOT: img101.imageshack.us/img101/5986/ollydbg.jpg

The exploit is running on VMWare Player 2.53 & Windows XP SP 0. All tutorials and forum posts I have browsed require me to access the EIP. Does anybody have an idea why it is not working for me? I'm really despaired by now.

Thanks for your efforts, m.

[lupin]

Make sure the overflow occurs inside a function and not inside main, as demonstrated in the code below. This will ensure that the overflow occurs on the stack which allows the return address fed to EIP when the function exits to be overwritten.

A buffer of 28 A characters will overwrite EIP for the code below.

Code:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void function(char *input) {
	char buffer[20];
	strcpy(buffer, input);  //overflow here, when function returns to main the return address can be overwritten
}

int main(int argc, char *argv[]) {
	function(argv[1]);
	return 0;
}