2

I want to write an exploit for a test application that provides only 12 bytes of space at the ESP. I'm not able to place shellcode in such a small space. I have no clue what I can do to solve this.

I have done the following steps.

  1. Fuzzing
  2. Find offset
  3. check for Bad chars
  4. find module JMP address
  5. control EIP
  6. use msfvenom for writing shellcode

enter image description here

I have tried to add 16 "B" but only 12 got written into the ESP space

Improve this question
2
  • 2
    I googled your title and got a ton of hits. You need to put in a pointer to a space that has more space.
    – schroeder
    CommentedJan 19, 2021 at 7:55
  • You should check about egghunting
    – Marco Nappi
    CommentedJun 19, 2021 at 12:22

1 Answer 1

Reset to default
2

You've run into a common problem in developing realistic exploits. Being a common problem, there is likely a solution. You just have to already know how to find it.

In this case, look into the concept of a trampoline. Trampolines are small segments of shellcode that exist to redirect execution. It is useful in this type of scenario because you can redirect to a larger block of memory that you also were able to overwrite. So in your 12 bytes, you have to craft code (start with JMP) that transfers EIP into a larger block from your overflow buffer.

Improve this answer
1
  • Thanks for your quick response. The hint is helpful. I will check how I can find the larger block and how to jump there.
    – Nightwolf
    CommentedJan 19, 2021 at 14:02

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.