Dailydave mailing list archives
Re: Exploitation of EIP with only ASCII
From: jnf <jnf () nosec net>
Date: Tue, 21 Mar 2006 23:42:48 -0800 (PST)
Andrew, given your options what you should look for is the ability to either overwrite one or two bytes of one of the saved addresses on the stack, OR overwriting something that is used later, for instance if you can overwrite data that is later pop'd into a register than used as an index into an array, you may have significant leverage. The bottom line is to be creative, there are many regions of memory, one of which you control, where can your control take you exactly? You very well could be able to change the control flow of the program via a 'if (variable_on_the_stack == 1) function1(); else function2(variable_on_the_stack2); As I understood the situation, the allowable characters are [A-Z], this basically equates to a nop on x86/x86_64, but presuming you give the program what it expects, what future outcomes can you affect? Welcome to the rabbit hole Alice. -- There are only two choices in life. You either conform the truth to your desire, or you conform your desire to the truth. Which choice are you making? On Wed, 22 Mar 2006, Andrew Christensen wrote:
Date: Wed, 22 Mar 2006 00:32:46 +0100 From: Andrew Christensen <anc () fortconsult net> To: Halvar Flake <HalVar () gmx de> Cc: dailydave () lists immunitysec com Subject: Re: [Dailydave] Exploitation of EIP with only ASCII Hmmm.. I've just been looking at the scenario of overflows where only [A-Z] can be used due to filters, specifically on Windows XP. After a some more inspection, it seems like NONE of the loaded modules are actually at memory addresses which can be represented using uppercase ASCII letters....? As far as I can tell, this basically means the only option is performing a partial overwrite and ending up somewhere else in the module where the overflow actually occurs, at addresses of xxxx0041 to xxxx005A. So - I guess the correct approach is looking for anything useful within the overflown module, within the scope of those addresses. Is there anything I'm missing? I would be very appreciative of any insight... - Andrew P.S. I suppose the fact that NONE of the modules are at upper-case-letter-addressable addresses could have something to do with the specific language pack on the machine I used for testing, so if anybody sees other results I'd be interested to hear that to. "Halvar Flake" <HalVar () gmx de> To 20-03-2006 08:55 H D Moore <hdm-daily-dave () digitaloffense net> cc dailydave () lists immunitysec com Subject Re: [Dailydave] Exploitation of EIP with only ASCIII've tried to see if I could find a valid JMP, JE, JNE CALL EBX but soIn many situations, an "add esp, xxx -- retn" can be just as useful. -- Echte DSL-Flatrate dauerhaft für 0,- Euro*! "Feel free" mit GMX DSL! http://www.gmx.net/de/go/dsl
Current thread:
- Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Steven M. Christey (Mar 18)
- Re: Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Joel Eriksson (Mar 18)
- Exploitation of EIP with only ASCII CIRT.DK Mailinglists (Mar 19)
- Re: Exploitation of EIP with only ASCII H D Moore (Mar 19)
- Re: Exploitation of EIP with only ASCII Halvar Flake (Mar 20)
- Re: Exploitation of EIP with only ASCII Andrew Christensen (Mar 21)
- Re: Exploitation of EIP with only ASCII jnf (Mar 22)
- Exploitation of EIP with only ASCII CIRT.DK Mailinglists (Mar 19)
- Re: Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Joel Eriksson (Mar 18)