mailing list archives
A Wee Bit of Help
From: jms at bughunter.ca (J. M. Seitz)
Date: Fri, 16 Mar 2007 13:06:33 -0800
Thanks for all your previous responses to my newb questions. Here is another
I have found an overflow, and when I pass in the input say with a bunch of
NOPs I get a:
Can't execute instruction at: 0x90909090
Fine and dandy, it looks like that value is from EAX.
eax=90909090 ebx=77c3f973 ecx=7ffffffe edx=03d044cf esi=03d041d4
eip=77c42a16 esp=03d0418c ebp=03d043f8 iopl=0 nv up ei pl nz na po
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
Now, what I have done is starting at the specified offset where it does the
77c42a16 803800 cmp byte ptr [eax],0
I fill that space with the address of where my shellcode is. When I run my
"crapsploit" against it, the target process doesn't die anymore and I don't
get "calc.exe" popping up.
What am I doing wrong here? If I make that return address where my shellcode
is a bunch of "A"s then again the process crashes with the same error as
before. By the process not dying does it mean that it's running my
shellcode, but not successfully?
Any help again (thanks HD and Matt for the love before) would be greatly
-------------- next part --------------
An HTML attachment was scrubbed...
- A Wee Bit of Help J. M. Seitz (Mar 16)