[framework] pattern_offset.rb

[Sonixxfx]

Great explanation! Thanks Rhys. This is exactly what I needed to know.

Regards,

Ben


2007/4/8, Rhys Kidd <rhyskidd at gmail.com>:
>
> Sonixxfx wrote:
> > Can someone tell me why pattern_offset.rb does not work with the ESP
> > and the EBP register in this case? I have attached a picture of
> > ollydbg for clarification.
> I'm assuming the process you have used to attempt to find the location
> in which ESP and EBP point to in the string is something like
> "./pattern_offset.rb 0098FD98 1000".
>
> ESP and EBP are registers which _point_ to a location in memory.
>
> When a vulnerable string handling API was called - from memory war-ftpd
> uses plain old strcpy() - your long crafted string extends past the end
> of the target buffer, overflows any other later buffers and then finally
> overwrites the values of the stack pointer, base pointer and finally the
> saved return address.
>
> A few cycles later, the function which contained the strcpy then
> finishes, and attempts to return. The value of the saved return address
> becomes the value in EIP; however ESP and EBP continue to merely _point_
> to the memory location of another portion of your long string. The
> values of ESP and EBP themselves are not changed by the buffer overflow.
>
> What you want to do is take the first bytes of the portion of string at
> ESP ("q4Aq"), convert it to hex with either an online ASCII converter or
> some Ruby and then feed these values into ./pattern_offset.rb
>
> In this way you will now have the location in your crafted string that
> eventually becomes the beginning of the location ESP points to. Under
> the classic approach to stack overflows you'll finally want to set your
> saved return address to a "jmp esp" or equivalent.
>
> - Rhys
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://spool.metasploit.com/pipermail/framework/attachments/20070408/ee896613/attachment.htm