0

I'm working on a buffer overflow exercise and I have my connected client IP address available on the stack (ESP + 7C).

Is it possible to write a single instruction to push the value of the IP into the stack, so I can use it later? I want my shellcode to be smaller in size; that's why I don't want to write multiple instructions to push its value.

Is this instruction ok? Would it push the value of ESP+7c onto the stack ?

PUSH [ESP+7c]
donjuedo
  • 2,475
  • 18
  • 28
Th3carpenter
  • 201
  • 1
  • 4
  • 16
  • 3
    Yes it's logically fine, but you should use the proper syntax for hex numbers and you might need a size specifier, e.g. `push dword [esp+0x7c]` for nasm. Also be careful using `push` with `esp`-relative addresses since `push` obviously changes `esp`. – Jester Dec 17 '18 at 17:06
  • thanks yes exactly i did PUSH DWORD PTR SS:[ESP+7C] however i can't see the value in the stack. I will give it another try – Th3carpenter Dec 17 '18 at 17:34
  • That is going to push the value that is in memory location ESP+0x7c, not the value “esp+0x7c”; if you want to do the latter, something like push eax; lea eax, [esp + 0x80]; xchg eax, [esp]. – mevets Dec 17 '18 at 18:08
  • doing the following push eax; lea eax, [esp + 0x7C]; xchg eax, [esp] gives the below result: http://%14%FC/ – Th3carpenter Dec 17 '18 at 18:17
  • After a `push eax`, you'd need `lea eax, [esp + 0x7c + 4]`. That sounds like a silly idea unless you need to preserve the old value of EAX, though. Just use `push dword ptr [esp + 0x7c]` or `push dword ptr [esp + 07Ch]` like a normal person., if you're using MASM syntax. – Peter Cordes Dec 17 '18 at 22:37

0 Answers0