EIP to ESP isn't doing well [Archive] - RCE Messageboard's Regroupment

View Full Version : EIP to ESP isn't doing well

galda

January 23rd, 2010, 22:09

Hi,
I've fuzzed a program and found a stack overflow, after 90 bytes I was able to write to the EIP and there is alot of space for the shellcode, so my stack looks like that:
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
[4 bytes of EIP]
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
SHELLCODE

now esp is pointing to the start of the nop sled address but when I use a JUMP ESP in the EIP I get a jump not exactly to the start of the nop sled...I used few different jumps from kernel32 and user32 and still it looks like the jump points me few bytes before the start of the nopsled...any idea why? the one that would help me would get a credit after I'll publish it

tnx.

LaBBa

January 24th, 2010, 00:58

well does it matter ?
are you jumping to the middle of the nop sled ? if you are always jumping to the section of the nop sled then it doesn't matter. you don't need to jump to the begining of the nop sled only to the range of the nop sled...

the meaning of a a nop sled is that the stack allocation can always change and you are building a section of nops that if you will jump to that section it will be a legal byte code to be executed...

But, if you are saying that the jump to the nop sled sometimes jump into the shell code (oe anything else then the nop sled) then thats means that you need to enlarge your nop sled size..

BTW:
what fuzzer are you using ? your own build or existing one?

galda

January 24th, 2010, 07:16

Dude, you didn't read my post right...I know what nopsled is...believe me...
My problem is that I'm not getting there, even thought I'm jumping to ESP I dont get into the nopsled example:
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
[4 bytes of EIP]
[EIP]->\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
SHELLCODE

But when I'm running it i see in olly something like this

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
[4 bytes of EIP]
[EIP]->04958255
00039495
04482244
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
SHELLCODE

My problem is from where the few not needed bytes came from? because after the jump esp, esp isn't pointing on the nopsled
the fuzzer is from darkcode...
tnx

ronnie291983

January 28th, 2010, 01:55

JMP ESP is not so good thing to do because the bytes ur showing is EIP, EBP etc (maybe ....), when the function returns it will pop out the local variables and EBP, EIP etc, so it might not be in the state u expect it to be or in other words won't be pointing to base of no- sled.

I might be wrong abt this, just a different line of thought, if u didn't already rule out that

I had another question is this "00039495" the stack cookie value?