Results 1 to 2 of 2

Thread: Enthusiastic question about this stack overflow.

  1. #1

    Enthusiastic question about this stack overflow.

    Hi there, thanks for coming here =D

    I really don't know if it is a "advanced reversing" issue but I guess it isn't a newbie issue, so I am here. Sorry if here isn't the correct place to post this.

    I'm exploiting this stack overflow where the PE in question is a server-application that don't have any included module.

    I have a version of this server which isn't the actual version running on the official server publisher (which I'm trying to exploit). The version I have is about 1 year ago and the flaw I found on my version of the server is still in operation on the official server (I could see this crashing the application with a long string data passed through client-packet).

    It is a classic case where the programmer fill 2 local string buffers with client-packet data and only check the client-data string size after the copy (sscanf is used). Because of this I really think the call stack have the same length on the official server.

    The problem comes when searching for a "JMP ESP" instruction to overwrite the return address of the function. The main-module is located at 0x400000 and ends at 0x580000 +- so I can't use any of these address due to the null-character.

    I can't even search for another included module because as I said before this application just don't have.

    I'm really lost =[

    I don't have any idea of what I can do. I already did a extensive search for any text that could help me but found nothing =[ The most near I found tell to search for included modules (which probably don't have any exploit protection as ASLR for example).

    I'm really instigated to do this, to learn more about this.

    If you can help me with anything please take a sit :P

    Thanks you very very much and sorry for the bad english
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    It is quite uncommon these days for anything to be exploitable via a simple jump to ESP. There are entire tomes dedicated to the art (for one "the art of exploitation", though it is kind of dated by now). If you wish for a quick start then I suggest you start with tutorials from Corelan. They start by easing you into it, and then move on to more advanced exploitation methods. Not every vulnerability is exploitable though.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. ecx overwritten +overflow
    By blowfrank in forum The Newbie Forum
    Replies: 3
    Last Post: December 21st, 2010, 12:36
  2. Integer overflow
    By OpenRCE_EliCZ in forum Blogs Forum
    Replies: 0
    Last Post: April 25th, 2008, 12:41
  3. Replies: 0
    Last Post: April 23rd, 2008, 10:01
  4. Debugging a stack overflow - hardware breakpoints problem
    By Fireice in forum OllyDbg Support Forums
    Replies: 2
    Last Post: May 17th, 2005, 04:30
  5. About the buffer overflow bug
    By thomasantony in forum Bugs
    Replies: 7
    Last Post: April 16th, 2005, 05:34

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •