Log in

View Full Version : Stack over flow without EIP


galda
January 23rd, 2010, 11:58
Hi,

I fuzzed some program and I was able to inject data into the stack. ECX is pointing to the data in the stack, the program crushes but I can't control the EIP, any idea why? or how can I jump from the data in the ECX to the EIP?

LaBBa
January 23rd, 2010, 12:40
well it looks like the bug you found didn't over wirte the return value so this will need investigation to observe what is points on and how to point to the data that you have sent to the application.

galda
January 23rd, 2010, 15:59
Just to make it clear...Lets say ECX is pointing on 0x00439204 I was able to inject my data to 0x00439204 I can inject as much data as I want but it doesn't overwrite the EIP...Can I do something with it?

LaBBa
January 24th, 2010, 01:05
if this data have meaning like overwriting the code section inside the application and then in somewhere in the application flows it need to execute this then yes..this will need a dipper investigations..

galda
January 26th, 2010, 22:35
How can I investigate it? what are the steps? could you direct me or give me a guide?

thanks!

Darkelf
January 27th, 2010, 03:49
Hmmm, I'm not sure, if you really know what you are doing.
Don't get me wrong - I don't want to offend you, but 0x00439204 is surely no stackaddress. So putting your shellcode at this address may be pretty fine, but you nevertheless need to overwrite the returnaddress of the function you are exploiting. If you are familiar with the procedure of calling a function, you'll know that the next instruction after the call is stored as the point-of-return on the stack. Therefore you must overwrite this address on the stack with the address where your shellcode is stored. You can write data to 0x00439204 until your processor is burning - you will never overwrite your returning address there.

You'll forgive me, If you know that concept already, but it doesn't seem so and I want to point you in the right direction.

Best regards
darkelf

edit: Although I think you've already read it, here is a link to some starting guide:
http://insecure.org/stf/smashstack.html

galda
January 27th, 2010, 07:29
I know what I'm doing but I'm kinda sure that you don't know...the 0x00439204 address was just an example it could be 0x05928483 or 0xPick8RandomNumbers.
My problem for now isn't the shellcode but IF it is possible to do something when over flowing a register WITHOUT overflow the EIP.
I don't need the smash paper, damn, In every second post ppl give it like it's kind of magic solution...The smash doesn't talk about this topic...

Darkelf
January 27th, 2010, 17:24
First of all, I'm trying to help you. If you don't like what I'm telling you, then just fuck off!
If you are still interested, then listen...
This is what you've written:

Quote:
[Originally Posted by galda;84875]Hi,

I fuzzed some program and I was able to inject data into the stack. ECX is pointing to the data in the stack, the program crushes but I can't control the EIP, any idea why? or how can I jump from the data in the ECX to the EIP?


If this is your problem, the smash-paper WILL answer your question, because it'll guide you how to overwrite the return value. If overwriting IS NOT your problem, then you'll have to ask a more specific question - we (I) will gladly answering it.
One more thing... if you are THAT pissed just because someone wrote an answer that didn't satisfy your needs, you may be really wrong here.

ronnie291983
January 28th, 2010, 01:45
i wud agree with darkelf, that the address mentioned does not look like a stack address, it generally looks 0x0012xxxx, and null pointers also generate access violation exception among other possibilities, and exploiting these might take a in depth analysis.

if you could give exception details, that wud be helpful.

Be really patient with the people trying to help you, u need to consider the fact that they are giving their answers with a very limited information.

disavowed
February 7th, 2010, 11:38
Quote:
[Originally Posted by Darkelf;84962]you nevertheless need to overwrite the returnaddress of the function you are exploiting

Not necessarily...
Given that you can control the value of ECX, how is ECX used afterwards? For example, if there's a JMP/CALL ECX or JMP/CALL [ECX+0x10], you're in luck. This can often be the case if the "vulnerable" function is a __thiscall function, in which case ECX points to this. If that's the case, you'd almost certainly be able to control calls to its vtable functions.

Darkelf
February 16th, 2010, 08:58
disavowed,

just saw your post. Of course you are right.
I didn't take that case into consideration. Sorry about that.

Best regards
darkelf