[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Buffer Overrun Newbie

You might try prefixing your shellcode with a sub esp, 0x100. The win32 functions you're calling might be mangling the stack.

----- Original Message ----- From: <gj_williams2000@xxxxxxxxxxx>
To: <vuln-dev@xxxxxxxxxxxxxxxxx>
Sent: Sunday, February 05, 2006 5:20 PM
Subject: Buffer Overrun Newbie

I was messing about with my pc trying to learn how buffer overruns work
(mostly as an excuse to use assembler) and I have run into a problem.

The program I am exploiting is just a simple c program I wrote which
mismanages a string provided by the user by copying it into a 512 byte
variable on the stack without checking its length.

My shellcode is supposed to display a messagebox that reads "hello
world".  When I compile my code into an executable and run it it works
fine.  I also tested it by writing a c program that has the shellcode
defined as a constant and then jumps to it in memory which works fine
but when I try and exploit the program I mentioned above it goes wrong.
Could this be because its not running from readonly memory?

Debugging the program in OllyDbg shows me that when I make a call to
GetProcAddress in the Kernel32.dll the function returns
error_proc_not_found whereas in the other cases it returns err_success.
The function works fine returning the address to the function I want
but a big section of the stack seems to get overwritten by garbage
which breaks the rest of my code.

Is this my fault or some kind of Windows security mechanism?  Can
anyone help me, I haven't found anything much on the net about it.

Cheers for reading