Posts Tagged ‘jmp esp’
Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development
Author: Peter Van Eeckhoutte
Add this post to Your Favorite Posts
In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at least contain the following tools : windbg (for a list of Windbg commands, click here) ollydbg immunity debugger (requires python) metasploit pyDbg (if you are using python and want to build your own custom debugger, as explained in the awesome Gray Hay Python book scripting tools such as perl / python, etc In the previous chapters, we have already played with windbg, and I have briefly discussed a …
Posted in 001_Security, Exploit Writing Tutorials, Exploits | 
Tags: !aslrdynamicbase, !findtrampoline, address call, address jmp, aslr, buffer, byakugan, call esp, eip, esp, esp found, findreturn, found valid, hunt, identbuf, immdbg, immunity, jmp, jmp esp, jutsu, listbuf, memdiff, metasploit, msec, pattern_create, pattern_offset, pop, pycommand, ret, return address, rmbuf, safeseh, searchopcode, shellcode, valid return, vista | 
13 Comments »
Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode
Author: Peter Van Eeckhoutte
Add this post to Your Favorite Posts
Where do you want to jmp today ? In one of my previous posts (part 1 of writing stack based buffer overflow exploits), I have explained the basisc about discovering a vulnerability and using that information to build a working exploit. In the example I have used in that post, we have seen that ESP pointed almost directly at the begin of our buffer (we only had to prepend 4 bytes to the shellcode to make ESP point directly at the shellcode), and we could use a “jmp esp” statement to get the shellcode to run. Note : This tutorial heavily builds on part 1 of the tutorial series, so please take the time to fully read and understand part 1 before reading part 2. The fact that we could use “jmp esp” was an …
Posted in 001_Security, Exploit Writing Tutorials, Exploits |
Tags: 41414141, add esp, blind return, buffer, buffer overflow, bytes, dll, eip, findjmp, jmp, jmp esp, jumpcode, metasploit, nop, opcode, pop, pop pop ret, push ret, pwned, reg + offset, ret, shellcode, stack |
5 Comments »
- Lincoln on CORELAN-10-061 – Integard Home and Pro v2 Remote HTTP Buffer Overflow Exploit September 7, 2010
- Lincoln on CORELAN-10-060 – 123 Flash Chat ver 7.8 August 16, 2010
- Sud0 on CORELAN-10-059 – Sopcast Unicode BOF Remote Exploit August 10, 2010
- MaRkO T. on CORELAN-10-058 – ActiTime2 0MA CSRF July 11, 2010
- MaRkO T. on CORELAN-10-057 – Oracle BPM Process Administrator 5.7-6.0-10.3 MPs XSS July 11, 2010
- chap0 on CORELAN-10-056 - Hero DVD Remote Buffer Overflow Exploit July 7, 2010
- MaRkO T. on CORELAN-10-055 – MemDb (Multiple Remote Dos) June 28, 2010
- chap0 on CORELAN-10-054 - GSM sms Utility SEH Buffer Overflow June 28, 2010
- TecR0c on CORELAN-10-053 – FieldNotes 32 v5.00 SEH exploit June 25, 2010
- sinn3r on CORELAN-10-052 – NO-IP Domain Update Client (DUC) "Request" Insecure Encoding Algorithm June 24, 2010