Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: problem to exploit a stack overflow

Re: problem to exploit a stack overflow

From: <6d79676d61696c6163636f756e74_at_gmail.com>
Date: 25 May 2005 16:25:25 -0000
('binary' encoding is not supported, stored as-is) In-Reply-To: <433ee3d9050524070923ba6ab5_at_mail.gmail.com>

>so the access violation happend (this time) in the beging of the
>shellcode !!!? is that a security future in xp sp2 ? or samething
>else? can sameone help me to understand this .
>thank you
>

You have overwritten ebp with nops... then you are trying to mov the value 63h to ebp-4 and you get an access violation.

Basically what you are trying to do with your shellcode is call winexec routine on "cmd" - and for that you are trying to push "cmd" onto the stack, then push a null, then call winexec.

Unfortunately for you, ebp is not pointing to the stack - you have corrupted it with nops, but since you got control of the cpu - you can move whatever value to whatever (accessible) location and fix things...
Also, you can reset all the registers to whatever values you want.

Good luck
Received on May 25 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos