Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Enthusiastic question about this stack overflow.

Interesting low-level stuff, operating system related issues, packer/vx acrobatics, drivers and non-newbie programming in general, including win32 assembly and whatever else.
Locked
ptr0x
Junior Member
Posts: 5
Joined: Thu Sep 15, 2011 3:51 am

Enthusiastic question about this stack overflow.

Post by ptr0x »

Hi there, thanks for coming here =D

I really don't know if it is a "advanced reversing" issue but I guess it isn't a newbie issue, so I am here. Sorry if here isn't the correct place to post this.

I'm exploiting this stack overflow where the PE in question is a server-application that don't have any included module.

I have a version of this server which isn't the actual version running on the official server publisher (which I'm trying to exploit). The version I have is about 1 year ago and the flaw I found on my version of the server is still in operation on the official server (I could see this crashing the application with a long string data passed through client-packet).

It is a classic case where the programmer fill 2 local string buffers with client-packet data and only check the client-data string size after the copy (sscanf is used). Because of this I really think the call stack have the same length on the official server.

The problem comes when searching for a "JMP ESP" instruction to overwrite the return address of the function. The main-module is located at 0x400000 and ends at 0x580000 +- so I can't use any of these address due to the null-character.

I can't even search for another included module because as I said before this application just don't have.

I'm really lost =[

I don't have any idea of what I can do. I already did a extensive search for any text that could help me but found nothing =[ The most near I found tell to search for included modules (which probably don't have any exploit protection as ASLR for example).

I'm really instigated to do this, to learn more about this.

If you can help me with anything please take a sit :P

Thanks you very very much and sorry for the bad english :D
malice
Junior Member
Posts: 3
Joined: Sun Mar 16, 2014 1:28 am

Post by malice »

It is quite uncommon these days for anything to be exploitable via a simple jump to ESP. There are entire tomes dedicated to the art (for one "the art of exploitation", though it is kind of dated by now). If you wish for a quick start then I suggest you start with tutorials from Corelan. They start by easing you into it, and then move on to more advanced exploitation methods. Not every vulnerability is exploitable though.
Locked