Dailydave mailing list archives
RE: Fwd: RE: We have the enemy, and the enemy is... you
From: "Dave Korn" <dave.korn () artimi com>
Date: Fri, 14 Apr 2006 15:41:51 +0100
On 14 April 2006 04:20, H D Moore wrote:
interesting - you end up overwriting two local variables which happen to be the source and destination pointers for an inlined memcpy. If you can make it past the memcpy, the app will return to your address of choice. There are no SEH frames on the stack, so you have to pass the copy before being able to abuse the return address overwrite. At this point, you have quite a few options:
Heh, ret-2-memcpy sploits are fun! So many possibilities!
Since I had already wasted too much time with this bug, I chose the last option and used a 'jmp esp' in DLClient.dll (after using a src/dst pointer from DLClient.dll's data to pass the memcpy). The result is reliable execution of at least 500 bytes of payload. The only annoying part is making the payload pass through tolower() :-)
Another annoying part can be finding both a source address, and a destination address, AND sometimes a return address that all have no zeros in them! (I once spent quite some time struggling against this in a sploit.... never did get it in the end) cheers, DaveK -- Can't think of a witty .sigline today....
Current thread:
- RE: We have the enemy, and the enemy is... you Sandy Wilbourn (Apr 13)
- <Possible follow-ups>
- Fwd: RE: We have the enemy, and the enemy is... you Olef Anderson (Apr 13)
- Re: Fwd: RE: We have the enemy, and the enemy is... you Alexander Sotirov (Apr 14)
- Re: Fwd: RE: We have the enemy, and the enemy is... you Matt (Apr 14)
- Re: Fwd: RE: We have the enemy, and the enemy is... you H D Moore (Apr 14)
- RE: Fwd: RE: We have the enemy, and the enemy is... you Dave Korn (Apr 14)
- Re: Fwd: RE: We have the enemy, and the enemy is... you Chris Wysopal (Apr 14)
- RE: RE: We have the enemy, and the enemy is... you Paul Melson (Apr 14)
- RE: RE: We have the enemy, and the enemy is... you Andrew R. Reiter (Apr 14)
- Re: Fwd: RE: We have the enemy, and the enemy is... you Alexander Sotirov (Apr 14)