Home page logo
/

metasploit logo Metasploit mailing list archives

A Wee Bit of Help
From: jms at bughunter.ca (J. M. Seitz)
Date: Fri, 16 Mar 2007 13:06:33 -0800

Thanks for all your previous responses to my newb questions. Here is another
:)
 
I have found an overflow, and when I pass in the input say with a bunch of
NOPs I get a:
 
Can't execute instruction at: 0x90909090 
 
Fine and dandy, it looks like that value is from EAX. 
 
eax=90909090 ebx=77c3f973 ecx=7ffffffe edx=03d044cf esi=03d041d4
edi=00429865
eip=77c42a16 esp=03d0418c ebp=03d043f8 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010202
 
Now, what I have done is starting at the specified offset where it does the
following:
 
77c42a16 803800          cmp     byte ptr [eax],0
ds:0023:90909090=??

I fill that space with the address of where my shellcode is. When I run my
"crapsploit" against it, the target process doesn't die anymore and I don't
get "calc.exe" popping up.
 
What am I doing wrong here? If I make that return address where my shellcode
is a bunch of "A"s then again the process crashes with the same error as
before. By the process not dying does it mean that it's running my
shellcode, but not successfully?
 
Any help again (thanks HD and Matt for the love before) would be greatly
appreciated....
 
JS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070316/98781f2b/attachment.htm>


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]