RE: Fwd: RE: We have the enemy, and the enemy is... you

["Dave Korn" <dave.korn () artimi com>]

On 14 April 2006 04:20, H D Moore wrote:

> interesting - you end up overwriting two local variables which happen to
> be the source and destination pointers for an inlined memcpy. If you can
> make it past the memcpy, the app will return to your address of choice.
> There are no SEH frames on the stack, so you have to pass the copy before
> being able to abuse the return address overwrite.
>
> At this point, you have quite a few options:

  Heh, ret-2-memcpy sploits are fun!  So many possibilities!

> Since I had already wasted too much time with this bug, I chose the last
> option and used a 'jmp esp' in DLClient.dll (after using a src/dst
> pointer from DLClient.dll's data to pass the memcpy). The result is
> reliable execution of at least 500 bytes of payload. The only annoying
> part is making the payload pass through tolower() :-)

  Another annoying part can be finding both a source address, and a destination address, AND  sometimes a return 
address that all have no zeros in them!  (I once spent quite some time struggling against this in a sploit.... never 
did get it in the end)

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....