Bugtraq mailing list archives
Re: Re: Remote buffer overflow in httpdx
From: pankaj208 () gmail com
Date: 10 Oct 2009 02:58:51 -0000
The addr value used is required to reach the ret instruction. The value used 0x63b8624f lies in idata segment of n.dll Note that in order to reach ret instruction, value at addr+0x0e0f should be non-zero for if(isset(client->serve.redirect)) to succeed => 004069E1 CMP BYTE PTR DS:[EAX+0E0F],0 and addr+0x0f24 should be writable for client->state = STATE_DONE to execute. => 00406AAF MOV DWORD PTR DS:[EAX+0F24],0 The other two addresses used are ret1 = 0x64f8134b (pop ret in core.dll) to pop addr and return to ret2 ret2 = 0x7c874413 (jmp esp in kernel32.dll) to jump to shellcode following ret2. Though I am able to get a shell, the retn/offsets used are not universal. Thanks, Pankaj
Current thread:
- Remote buffer overflow in httpdx pankaj208 (Oct 08)
- <Possible follow-ups>
- Re: Remote buffer overflow in httpdx dr_ide (Oct 09)
- Re: Re: Remote buffer overflow in httpdx pankaj208 (Oct 13)