Vuln Dev
Re: 3COM TFTPD Overflow: SEH Overwrite Feb 04 2008 05:31PM
lists skilltube com
What vulnerability are you trying to exploit? This one?

http://www.securityfocus.com/bid/21322

In your document, you say

"I look for POP/POP/RET ws2_32.dll (to avoid SafeSEH restrictions?)"

are you telling or asking? Can you please provide a little more info.
Otherwise it is hard to help here. If you try to exploit the
vulnerability mentioned above, send the following request (perl style):

$buffer="\x00\x01";
$buffer .=("\x41\x00");
$buffer .=("A"x480);

That should give you control over eip. By selecting the right return
address, you end up in a reliable exploit.

Quoting jeremy.junginger (at) gmail (dot) com [email concealed]:

> I'm attempting to exploit an already known bug in 3COM TFTPD server,
> and execute "calc.exe" with my shellcode. I have control of
> ECX/EIP, and can overwrite both SEH and pointer to next SEH
> successfully, and have used:
>
> Pointer to next SEH: \xeb\x10\x90\x90
> SEH: \x69\x12\xab\x71 (POP/POP/RET in ws2_32.dll)
>
> A full writeup with screenshots is available at:
> http://filebin.ca/pmuwqm/SEHOverwrite.rtf
>
> I'm getting "Debugged program was unable to process exception", so I
> hit shift+f9 (in olly) and it terminates with some strange exit
> code. Could you take a peek and see what I'm missing here?
>
> Thanks guys!
>
> -jj
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus