Vuln Dev
Help developing an exploit Apr 29 2007 01:46AM
Webster Orkin (webster orkin gmail com) (3 replies)
Re: Help developing an exploit May 01 2007 10:15PM
alireza hassani (trueend5 yahoo com)
Re: Help developing an exploit Apr 30 2007 10:17AM
Felix Lindner (fx sabre-labs com)
RE: Help developing an exploit Apr 30 2007 08:21AM
Sol Z List (RaMatkal hotmail com)
Genereally, when exploiting windows apps the idea isn't to overflow EIP with
the address of your shellcode (if its on the stack) because as you said the
address contains NULL characters...

After you overflow the stack do any of the registers point anywhere near
your shellcode? Then all you need to do is overflow EIP with the address of
a JMP (reg) in the processes address space. Ie suppose EBX points to your
shellcode, then you would overflow EIP with the address of a JMP EBX or CALL
EBX etc... these addresses can be found manually or using metasploit opcode

Hope that was clear...

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Webster Orkin
Sent: Sunday, April 29, 2007 3:46 AM
To: vuln-dev (at) securityfocus (dot) com [email concealed]
Subject: Help developing an exploit

Hi List,

I discovered a buffer overflow in a networked application that my
company uses. I plan to notify the company that writes the program,
but I'd like to develop sample exploit code before I do so they'll
take it more seriously. I've never written exploit code, but I do
have experience with coding, network security, etc. In the past
couple of weeks I've been looking at a lot of exploit code, reading up
on metasploit, and working with Windbg. Basically, their program
listens on a TCP port for a connection that sends a username/password
in an XML message. They don't bounds-check either username (overflows
after 45 chars) or password (overflows after 23 chars). Playing with
larger inputs, I am able to get a payload sent, and can get values
into EAX, EDX, and EIP at various points. The problem I've been
having is that my payload ends up at address 0x0012E6B4 and if I try
to get that address into EIP, my entire message is rejected for
containing an x00 character. Here's what I've found about what I can

(23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into
EDX->EIP)(up to 4500 bytes)

Clearly that last block would be a great place for a payload, but I
just can't seem to get EIP to what I want. Here are the last three
lines of the program disassembly:
mov edx,dword ptr [eax]
push eax
call dword ptr [edx+8]

That last line is where the debugger keeps stopping because since I
haven't been able to put in the address I want (0012...), I've been
using invalid memory addresses as space hoders (\xb4\xe6\x12\xcc).

I'm not sure if anyone can help, but it feels like I'm very close. I
can also send along my current metasploit ruby file if that would
help. If anyone has any suggestions, I'd greatly appreciate it.



[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus