danny3
02-02-09, 19:50
There is a remote vulnerability in a multiplayer game. I am new to this but have been able overflow the buffer and change the return address to one that points to `call esp` inside kernel32.dll.
I've read several articles but I'm still not sure how I would overwrite ESP register or somehow get the address of my shellcode into it?
I'm sending the data like this...
[Normal data]
[OVERFLOW AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
[Return Address - call esp]
[Shellcode?]
Doing the above works on a simple vulnerable program I wrote (testing locally), but the shellcode doesn't get executed on the game. It goes to 'call esp' but how do I get ESP to point to location of my shellcode? :confused:
I've read several articles but I'm still not sure how I would overwrite ESP register or somehow get the address of my shellcode into it?
I'm sending the data like this...
[Normal data]
[OVERFLOW AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
[Return Address - call esp]
[Shellcode?]
Doing the above works on a simple vulnerable program I wrote (testing locally), but the shellcode doesn't get executed on the game. It goes to 'call esp' but how do I get ESP to point to location of my shellcode? :confused: