('binary' encoding is not supported, stored as-is)
Several questions on a remote stack overflow i am trying to exploit on windows 2k/XP/2003....
I send a GET request to a vulnerable web server, when the Authorization Header is 250 bytes long, a buffer overflow occurs and i have full control over EIP. However, if the Authorization Header is larger than 250 bytes, an exception occurs and i do not control EIP. So, the problem is I only have about 250 bytes with which to put my shellcode...
I did notice however, that the entire GET request is also sitting on the stack about 2k from the Authorization Header and the RET address which i control. So, I was thinking to use this space to store my 600 or so byte shellcode...
So, I am basically thinking, i overflow EIP with an address that JMP's -260 to the beginning of the Authorization header. The Authorization header then contains my Stage1 shellcode that starts searching down the stack for my Stage2 shellcode which it will find about 2k down the stack in the GET request.....
I hope somebody understands what the hell i am talking about....
Anyways, if anybody has any questions/suggestions/advice they would be greatly appreciated....
Thanks for your help,
RaMatkal
RaMatkal_at_hotmail.com
Received on May 17 2005
Intro
