exploit write, small jump

compaq · #1 (**permalink**) 11-07-2009, 09:52 AM

Hi, I'm trying to workout how to do a small jump. I'm useing the opcode eb, and would like jump 10 instruction.
do I have to add a offset or linear number in frount or behind it?

b3r00tb4ck · #2 (**permalink**) 11-07-2009, 08:53 PM

geek32 edition | X86 Opcode and Instruction Reference 1.10

really good site i found, VERY useful for shellcoding/exploit dev, sorry i dont have time to search it for you

compaq · #3 (**permalink**) 11-07-2009, 10:18 PM

Thanks b3r00tb4ck

lupin · #4 (**permalink**) 11-08-2009, 12:05 AM

Its '\eb\0a' for future reference. Be careful though because '\0a' is often a restricted character for buffer overflows.

compaq · #5 (**permalink**) 11-08-2009, 02:31 AM

This is along the same lines, olly is showing up 75e00000 refenced memory at 41414141 .
I have tryed point the memory location to some locations.
When I ran the exploit to the crash, i then run again, and then olly dies.

Any help would be appracted
thanks

lupin · #6 (**permalink**) 11-08-2009, 05:06 AM

Need some more details about what you are doing and what exactly changed between the overwrite with \x41 and the time where you tried to point the crash location elsewhere. Also, what do you mean when you say Olly dies?

Do you know what type of overwrite this is? Stack based? Direct EIP or SEH? How you are feeding the buffer to the program (STDIN, network socket?)

Perhaps give a step by step of what your buffer contains during the \41 overwrite and when you try to point the buffer to a particular location, exactly what Olly does in response to each buffer.

compaq · #7 (**permalink**) 11-08-2009, 07:31 AM

Quote:

Need some more details about what you are doing and what exactly changed between the overwrite with \x41 and the time where you tried to point the crash location elsewhere. Also, what do you mean when you say Olly dies?

Do you know what type of overwrite this is? Stack based? Direct EIP or SEH? How you are feeding the buffer to the program (STDIN, network socket?)

Perhaps give a step by step of what your buffer contains during the \41 overwrite and when you try to point the buffer to a particular location, exactly what Olly does in response to each buffer.

It calls seh, I send it to the progam with a network socket. Eip is the address of a cmp [ecx],eax were ecx conatins 41414141.
after it shows up saying tryed to refence memory, i click run it comes up again, i then hit run and olly closes(not in task bar)
There are a coulpe of place in the program were safeseh is off.

lupin · #8 (**permalink**) 11-08-2009, 08:42 AM

Quote:

Originally Posted by compaq

It calls seh, I send it to the progam with a network socket. Eip is the address of a cmp [ecx],eax were ecx conatins 41414141.
after it shows up saying tryed to refence memory, i click run it comes up again, i then hit run and olly closes(not in task bar)
There are a coulpe of place in the program were safeseh is off.

Ive never had Olly do that to me before. Are you using the default config?

If you are doing an SEH overwrite, why don't you try and use a POP, POP, RET, thats the usual way to get code execution.

compaq · #9 (**permalink**) 11-08-2009, 08:49 AM

Quote:

Ive never had Olly do that to me before. Are you using the default config?

If you are doing an SEH overwrite, why don't you try and use a POP, POP, RET, thats the usual way to get code execution.

My sound a bit.. Do i add the address of the start of a pop pop ret into ecx, as. like 77c40000? , I have try things like that push ecx,call , as well has a short jump, all just display the string of the commands at address 77c40000 in ecx.
It goes into the exception handler, but ecx just gets zeroed out