Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Basic (should be) Stack Overflow (XP SP2)

From: EvilPacket <evilpacket () gmail com>
Date: Tue, 18 Apr 2006 14:55:15 -0700
I'm trying to work through a basic stack overflow and can't figure out why
something isn't working quite right and I am hoping somebody is willing to
lend some advice on this one (or at least point me to some reading material
that I may have missed).

I can take control of EIP with the overflow when the RET executes, curious
as to why I can't simply redirect execution straight into my stack space
(0022FE70) where my user controlled data is - when execution is directed to
0022FE70 it is off in some far away land and not actually in my stack (This
is where I am confused).

I have tried an alternative way by redirecting EIP into NTDLL.DLL at
instruction 0x7c9556d8, which should be jmp eax, which is done and EIP
becomes 0022FE70 again, but it goes off into never never land as well. I
know I'm missing some basic principle here. Any __helpful__ information /
references would be appreciated.

--Adam


Environment is Windows XP SP2 fully, patched, soup to nuts.

Here is the disassembled version of the binary I'm working from....
...
004012C3  |. 8B45 0C            MOV EAX,DWORD PTR SS:[EBP+C]
004012C6  |. 83C0 04            ADD
EAX,4
004012C9  |. 8B00               MOV EAX,DWORD PTR DS:[EAX]

004012CB  |. 894424 04          MOV DWORD PTR SS:[ESP+4],EAX

004012CF  |. 8D85 F8FEFFFF      LEA EAX,DWORD PTR SS:[EBP-108]

004012D5  |. 890424             MOV DWORD PTR SS:[ESP],EAX

004012D8  |. E8 33050000        CALL
<JMP.&msvcrt.strcpy>
004012DD  |. C9
LEAVE
004012DE  \. C3                 RETN

...


Registers after CALL <JMP.&msvcrt.strcpy>:

EAX 0022FE70 ASCII "AAAAAAAAAAAAAAA... points to user supplied data"
ECX 003D3E54
EDX ABABAB00
EBX 00004000
ESP 0022FE40
EBP 0022FF78 ASCII "DDDDAAAA" ; last 8 bytes of user supplied data
ESI FFFFFFFF
EDI 7C910738 ntdll.7C910738
EIP 004012DD abo1.004012DD
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_FILE_NOT_FOUND (00000002)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -UNORM D0A8 01050104 0079006C
ST1 empty 0.0000000000000003830e-4933
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 037F  Prec NEAR,64  Mask    1 1 1 1 1 1

----------------------------------------------------------------------------

Registers after LEAVE:

EAX 0022FE70 ASCII "AAAAAAAAAAAAAAAAAAA... User supplied data"
ECX 003D3E54
EDX ABABAB00
EBX 00004000
ESP 0022FF7C ASCII "AAAA" ; last 4 bytes of user supplied data
EBP 44444444
ESI FFFFFFFF
EDI 7C910738 ntdll.7C910738
EIP 004012DE abo1.004012DE
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_FILE_NOT_FOUND (00000002)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -UNORM D0A8 01050104 0079006C
ST1 empty 0.0000000000000003830e-4933
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 037F  Prec NEAR,64  Mask    1 1 1 1 1 1

----------------------------------------------------------------------------

Registers after RET:

EAX 0022FE70 ASCII "AAAAAAAAAA...points to user supplied data"
ECX 003D3E54
EDX ABABAB00
EBX 00004000
ESP 0022FF80
EBP 44444444
ESI FFFFFFFF
EDI 7C910738 ntdll.7C910738
EIP 41414141
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_FILE_NOT_FOUND (00000002)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -UNORM D0A8 01050104 0079006C
ST1 empty 0.0000000000000003830e-4933
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 037F  Prec NEAR,64  Mask    1 1 1 1 1 1

----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: