Dailydave mailing list archives
Re: Exploitation of EIP with only ASCII
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Sun, 19 Mar 2006 16:57:41 -0600
The process I tend to use: 1) Dump the process's address space with memdump.exe (framework/tools), then use msfpescan -d <directory created by memdump> with -s/-j/-x to find a valid return address. Write a filtering script or just hack up msfpescan to only display addresses that match your allowed character set. 2) Try to perform a partial overwrite of the return address/SEH ptr and see if I can changed the LSB's to point to an interesting opcode in the .text section of the calling function (or wherever the SEH happened to be). If the string is null-terminated for you by the application (often the case), this gives you access to 0x00XXYYZZ which gives you even more options for your return. Goodluck! -hD On Sunday 19 March 2006 15:08, CIRT.DK Mailinglists wrote:
Hey there I have a question, does any of you have ideas on how to exploit a buffer overflow where the EIP is controlled, but the only valid characters for the part where the EIP are located on the stack are A-Z uppercase and nothing else. In the same bug the SEH are also controlled, but also the only valid characters are uppercase A-Z (x41-x5A) I've tried to see if I could find a valid JMP, JE, JNE CALL EBX but so far no luck. Any Ideas Regards Dennis Rand CIRT.DK
Current thread:
- Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Steven M. Christey (Mar 18)
- Re: Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Joel Eriksson (Mar 18)
- Exploitation of EIP with only ASCII CIRT.DK Mailinglists (Mar 19)
- Re: Exploitation of EIP with only ASCII H D Moore (Mar 19)
- Re: Exploitation of EIP with only ASCII Halvar Flake (Mar 20)
- Re: Exploitation of EIP with only ASCII Andrew Christensen (Mar 21)
- Re: Exploitation of EIP with only ASCII jnf (Mar 22)
- Exploitation of EIP with only ASCII CIRT.DK Mailinglists (Mar 19)
- Re: Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Joel Eriksson (Mar 18)