[framework] A Wee Bit of Help
J. M. Seitz
jms at bughunter.ca
Fri Mar 16 16:06:33 CDT 2007
Thanks for all your previous responses to my newb questions. Here is another
:)
I have found an overflow, and when I pass in the input say with a bunch of
NOPs I get a:
Can't execute instruction at: 0x90909090
Fine and dandy, it looks like that value is from EAX.
eax=90909090 ebx=77c3f973 ecx=7ffffffe edx=03d044cf esi=03d041d4
edi=00429865
eip=77c42a16 esp=03d0418c ebp=03d043f8 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010202
Now, what I have done is starting at the specified offset where it does the
following:
77c42a16 803800 cmp byte ptr [eax],0
ds:0023:90909090=??
I fill that space with the address of where my shellcode is. When I run my
"crapsploit" against it, the target process doesn't die anymore and I don't
get "calc.exe" popping up.
What am I doing wrong here? If I make that return address where my shellcode
is a bunch of "A"s then again the process crashes with the same error as
before. By the process not dying does it mean that it's running my
shellcode, but not successfully?
Any help again (thanks HD and Matt for the love before) would be greatly
appreciated....
JS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://spool.metasploit.com/pipermail/framework/attachments/20070316/98781f2b/attachment.htm
More information about the framework
mailing list