|
Vulnerability Development
mailing list archives
Re: Exploitation Help
From: James Longstreet <jlongs2 () uic edu>
Date: Tue, 17 May 2005 12:58:30 -0500 (CDT)
Perhaps this would help:
http://metasploit.com:55555/PAYLOADS?FILTER=win32
Quite a few Win32 shellcodes. Some of them are < 100 bytes... all depends
on what you want it to do, and how.
On Tue, 17 May 2005 ramatkal () hotmail com wrote:
Several questions on a remote stack overflow i am trying to exploit on windows 2k/XP/2003....
I send a GET request to a vulnerable web server, when the Authorization Header is 250 bytes long, a buffer overflow
occurs and i have full control over EIP. However, if the Authorization Header is larger than 250 bytes, an exception
occurs and i do not control EIP. So, the problem is I only have about 250 bytes with which to put my shellcode...
I did notice however, that the entire GET request is also sitting on the stack about 2k from the Authorization Header
and the RET address which i control. So, I was thinking to use this space to store my 600 or so byte shellcode...
So, I am basically thinking, i overflow EIP with an address that JMP's -260 to the beginning of the Authorization
header. The Authorization header then contains my Stage1 shellcode that starts searching down the stack for my Stage2
shellcode which it will find about 2k down the stack in the GET request.....
I hope somebody understands what the hell i am talking about....
Anyways, if anybody has any questions/suggestions/advice they would be greatly appreciated....
Thanks for your help,
RaMatkal
RaMatkal () hotmail com
 By Date 
By Thread
Current thread:
|
Intro
