Vuln Dev
Help developing an exploit Apr 29 2007 01:46AM
Webster Orkin (webster orkin gmail com) (3 replies)
Re: Help developing an exploit May 01 2007 10:15PM
alireza hassani (trueend5 yahoo com)
Re: Help developing an exploit Apr 30 2007 10:17AM
Felix Lindner (fx sabre-labs com)
Hi,

On Sat, 28 Apr 2007 21:46:08 -0400
"Webster Orkin" <webster.orkin (at) gmail (dot) com [email concealed]> wrote:
> The problem I've been
> having is that my payload ends up at address 0x0012E6B4 and if I try
> to get that address into EIP, my entire message is rejected for
> containing an x00 character. Here's what I've found about what I can
> send:
>
> (23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into
> EDX->EIP)(up to 4500 bytes)

from the address, it looks like your buffer is on the stack. Please ignore the
rest of this posting if that's not the case.
The obvious solution would be to look for a byte sequence 0xFFE4 (jmp esp) or
similar in memory mapped at addresses without 0x00 or other forbidden
characters in them. Since you say XML, I assume 0x3c, 0x2f and 0x3e wouldn't
be appreciated either. Once you find such an address, let EDX->EIP point
there, so execution will return to the stack.
You may try OllyDbg and http://www.phenoelit.de/win/OllyUni_0.10.zip for
finding specific byte sequences that may help you getting your code executed.

HIHAL,
FX

--
SABRE Labs GmbH | Felix 'FX' Lindner <fx (at) sabre-labs (dot) com [email concealed]>
http://www.sabre-labs.com | GSM: +49 171 7402062
Wrangelstrasse 4 | PGP: A740 DE51 9891 19DF 0D05
10997 Berlin, Germany | 13B3 1759 C388 C92D 6BBB
HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner

[ reply ]
RE: Help developing an exploit Apr 30 2007 08:21AM
Sol Z List (RaMatkal hotmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus