Vuln Dev
Help developing an exploit Apr 29 2007 01:46AM
Webster Orkin (webster orkin gmail com) (3 replies)
Hi List,

I discovered a buffer overflow in a networked application that my
company uses. I plan to notify the company that writes the program,
but I'd like to develop sample exploit code before I do so they'll
take it more seriously. I've never written exploit code, but I do
have experience with coding, network security, etc. In the past
couple of weeks I've been looking at a lot of exploit code, reading up
on metasploit, and working with Windbg. Basically, their program
listens on a TCP port for a connection that sends a username/password
in an XML message. They don't bounds-check either username (overflows
after 45 chars) or password (overflows after 23 chars). Playing with
larger inputs, I am able to get a payload sent, and can get values
into EAX, EDX, and EIP at various points. The problem I've been
having is that my payload ends up at address 0x0012E6B4 and if I try
to get that address into EIP, my entire message is rejected for
containing an x00 character. Here's what I've found about what I can

(23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into
EDX->EIP)(up to 4500 bytes)

Clearly that last block would be a great place for a payload, but I
just can't seem to get EIP to what I want. Here are the last three
lines of the program disassembly:
mov edx,dword ptr [eax]
push eax
call dword ptr [edx+8]

That last line is where the debugger keeps stopping because since I
haven't been able to put in the address I want (0012...), I've been
using invalid memory addresses as space hoders (\xb4\xe6\x12\xcc).

I'm not sure if anyone can help, but it feels like I'm very close. I
can also send along my current metasploit ruby file if that would
help. If anyone has any suggestions, I'd greatly appreciate it.



[ reply ]
Re: Help developing an exploit May 01 2007 10:15PM
alireza hassani (trueend5 yahoo com)
Re: Help developing an exploit Apr 30 2007 10:17AM
Felix Lindner (fx sabre-labs com)
RE: Help developing an exploit Apr 30 2007 08:21AM
Sol Z List (RaMatkal hotmail com)


Privacy Statement
Copyright 2010, SecurityFocus