Vuln Dev
Re: Help developing an exploit Apr 30 2007 09:24AM
Claudio Broglia (xeon sysroot eu)
> Hi List,
Hi Webster,

> I discovered a buffer overflow in a networked application ...
> ... The problem I've been
> having is that my payload ends up at address 0x0012E6B4 and if I try
> to get that address into EIP, my entire message is rejected for
> containing an x00 character. ...
> (23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into
> EDX->EIP)(up to 4500 bytes)
> ...
> Here are the last three
> lines of the program disassembly:
> mov edx,dword ptr [eax]
> push eax
> call dword ptr [edx+8]
>
> That last line is where the debugger keeps stopping because since I
> haven't been able to put in the address I want (0012...), I've been
> using invalid memory addresses as space hoders (\xb4\xe6\x12\xcc).

Just a summary: you would like to call your payload which is located
at address 0x0012e6b4, but you say you can't use a \x00 character.
But from the code snipper you've posted, the last call is a "call
dword ptr [edx+8]" and not a "call edx+8". So from what I understand
you have not to put in EDX 0x0012e6ac (0x0012e6b4-8), but just an
address in the process address space which contains 0x0012e6b4 at the
time of the call. This address obviously would not have a \x00
character in its address. To find it just breakpoint at that call and
search for it in memory (remember to subtract 8 from its address
before putting it in your shellcode).

Hope I've been helpful, let me know.

bye
-xeon

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus