Re: quick notes

[hdm-daily-dave () digitaloffense net]

Hi Oded! 

The Content-Length/GET trick does not work with lookaside in this case; 
the application allocates a huge (8018) byte chunk and then loads the 
network data into this. I will have to find a way to control allocation 
size (which shouldn't be too hard, just time consuming). Thanks for the 
suggestion, it might be time to go back and fix my XEXCH50 exploit as 
well :)

-HD

On Monday 30 August 2004 13:15, oded.horovitz () hushmail com wrote:
> You have the best setup for lookaside basing. Just load a controllable
> lengthed input to some lookaside entry. and set edx to that entry-0x44

-- quick heap info for webservd.exe --

0:028> !heap
NtGlobalFlag enables following debugging aids for new heaps:    tail 
checking
Index   Address  Name      Debugging options enabled
  1:   00140000                
  2:   00240000                
  3:   00250000                
  4:   00340000                
  5:   00390000                
  6:   003b0000 
  
0:028> s 100000 Lfffffff 0x51 0x61 0x71 0x81
050b909f  51 61 71 81 cc cc cc cc-cc cc cc cc cc cc cc cc  
051cdef7  51 61 71 81 cc cc cc cc-cc cc cc cc cc cc cc cc 
052f743f  51 61 71 81 cc cc cc cc-cc cc cc cc cc cc cc cc  
0539e21f  51 61 71 81 cc cc cc cc-cc cc cc cc cc cc cc cc  
0542858f  51 61 71 81 cc cc cc cc-cc cc cc cc cc cc cc cc  
05674b07  51 61 71 81 cc cc cc cc-cc cc cc cc cc cc cc cc  
0569cb17  51 61 71 81 cc cc cc cc-cc cc cc cc cc cc cc cc  

0:028> !heap -x 050b909f
050b9000  050b9008  00340000  05010000      8018      8000  busy 
[ ... ]
0:028> !heap -x 0569cb17
0569ca78  0569ca80  00340000  05010000      8018        50  busy 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave