Vuln Dev
Help developing an exploit Apr 29 2007 01:46AM
Webster Orkin (webster orkin gmail com) (3 replies)
Re: Help developing an exploit May 01 2007 10:15PM
alireza hassani (trueend5 yahoo com)
I'm Totally agree with 'RaMatkal' who said:

"Genereally, when exploiting windows apps the idea
isn't to overflow EIP with the address of your
shellcode (if its on the stack) because as you said
the address contains NULL characters..."

Sure! this isn't a good idea to get the address of
your shellcode directly into EIP, Because you are
going to develop a portable exploit, not an exploit
which just works for yourself.

"After you overflow the stack do any of the registers
point anywhere near your shellcode? Then all you need
to do is overflow EIP with the address of a JMP (reg)
in the processes address space. Ie suppose EBX points
to your shellcode, then you would overflow EIP with
the address of a JMP EBX or CALL EBX etc... these
addresses can be found manually or using metasploit
opcode database.. "

Exactly that is the main approach, but if you have the
same problem to CALL or JMP REG in your Shellcode
because of the NULL or forbiden chars, then you can
use ADC trick to avoid it.

For example you want to overflow ECX with 0012E6B4:
MOV ECX,0012E6B4 --> Forbiden Char \x00 , Not

B9 C5F72311 MOV ECX,1123F7C5
81D1 EFEEEEEE ADC ECX,-11111111 --> At this time
ECX holds 0012E6B4

Security Science Researchers Institute Of Iran

--- Webster Orkin <webster.orkin (at) gmail (dot) com [email concealed]> wrote:

> Hi List,
> I discovered a buffer overflow in a networked
> application that my
> company uses. I plan to notify the company that
> writes the program,
> but I'd like to develop sample exploit code before I
> do so they'll
> take it more seriously. I've never written exploit
> code, but I do
> have experience with coding, network security, etc.
> In the past
> couple of weeks I've been looking at a lot of
> exploit code, reading up
> on metasploit, and working with Windbg. Basically,
> their program
> listens on a TCP port for a connection that sends a
> username/password
> in an XML message. They don't bounds-check either
> username (overflows
> after 45 chars) or password (overflows after 23
> chars). Playing with
> larger inputs, I am able to get a payload sent, and
> can get values
> into EAX, EDX, and EIP at various points. The
> problem I've been
> having is that my payload ends up at address
> 0x0012E6B4 and if I try
> to get that address into EIP, my entire message is
> rejected for
> containing an x00 character. Here's what I've found
> about what I can
> send:
> (23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4
> bytes - loaded into
> EDX->EIP)(up to 4500 bytes)
> Clearly that last block would be a great place for a
> payload, but I
> just can't seem to get EIP to what I want. Here are
> the last three
> lines of the program disassembly:
> mov edx,dword ptr [eax]
> push eax
> call dword ptr [edx+8]
> That last line is where the debugger keeps stopping
> because since I
> haven't been able to put in the address I want
> (0012...), I've been
> using invalid memory addresses as space hoders
> (\xb4\xe6\x12\xcc).
> I'm not sure if anyone can help, but it feels like
> I'm very close. I
> can also send along my current metasploit ruby file
> if that would
> help. If anyone has any suggestions, I'd greatly
> appreciate it.
> Thanks,
> -Webster

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around

[ reply ]
Re: Help developing an exploit Apr 30 2007 10:17AM
Felix Lindner (fx sabre-labs com)
RE: Help developing an exploit Apr 30 2007 08:21AM
Sol Z List (RaMatkal hotmail com)


Privacy Statement
Copyright 2010, SecurityFocus