For Visual C++ :
-stack overflow experiement, we should use the debug version. If we use the release version, we may need to retest again.
-heap overflow, we should use the release version. If we use the debug version, it will fail.If heap test is running directly under Ollydbg or Windbg, the heap management will use the debugging management policy.
ESP - Pointing to the top of the stack
EBP - Poining to the base of the top stack
_stdcall and _cdecl will be different. Be default, Visual C++ will use the _stdcall
mov ebp, esp
sub esp, xxx
add esp, xxx
Char buffer[0-3] Low addr
return address high addr
Example the input is 43214321432143214321
the memory layout at Ollydbg :
Char buffer[0-3] 1234 (Offset3,2,1,0)
char buffer[4-7] 1234
return address 1234
If the modified return adress is 0x00401122, we should input it in as 22 11 40 00 ( for little endian), so the end result EIP will show 0x00401122 correctly.
In Visual Studio 6.0, "Dependeny Walker" may obtain the user32.dll base address, MessageBoxA offset entry point and etc.
To obtain all the process various jumping address, Ollydbg plugin "OllyUni.dll" can be used. Put it in Ollydbg directory Plugins folder, restart Olly.
Right click on the code --> Overflow Return Address ---> ASCII Overflow returns --> Search JMP/ CALL ESP ---> >Click the L button on Olly tool bar or Log
- If the problem of different path length, heap spray method will be useful for this situation.
- The decoder for shellcode
ADD EAX,14h //the length of decoder is 20 bytes
XOR ECX, ECX
MOV BL, [EAX+ECX]
XOR BL,44h //the encode key is 0x44
MOV [EAX+ECX], BL
During the start of decoder, EAX will be aimed on the start of shellcode. After the decoder, it will follow with the real shellcode. For this decoder, we need to add a bit of 0x90 as the shellcode ending.
Tips for make the shellcode "thinner"
- Some super useful asm command to make the shortest shellcode
xchg eax, reg //exchange eax with the register value
lodsd //the dword pointed by esi will put to eax, increase esi
lodsb //the byte pointed by esi will put into al, increase esi
cdq //use edx to extend eax to dword, if eax < 0x80000000,thi command can use as
mov edx, NULL
-use register such EBP, ESI,EDI or etc to store data, but not push into the stack
-the code can used as data
-protect the stack by raising the esp value at 1st, this can save a lot data initialising command