Metasploit mailing list archives
A Wee Bit of Help
From: hdm at metasploit.com (H D Moore)
Date: Fri, 16 Mar 2007 15:30:33 -0500
This exception indicates that you control a pointer that is being dereferenced and compared with zero. This is not exploitable for anything other than a denial of a service. By placing a valid value into the EAX register, you prevent the process from crashing, but you have no control over execution. There may be another way to trigger code execution, but changing the value of EAX to be a valid address is probably not it. Something you might want to try is making EAX point to DWORD with the value 0 (ie. 4 NULL bytes). This may change the logic of the application and continue on to an exploitable exception. -HD . On Friday 16 March 2007 16:06, J. M. Seitz wrote:
Now, what I have done is starting at the specified offset where it does the following: 77c42a16 803800????????? cmp???? byte ptr [eax],0?????????? ds:0023:90909090=?? I fill that space with the address of where my shellcode is. When I run my "crapsploit" against it, the target process doesn't die anymore and I don't get "calc.exe" popping up. What am I doing wrong here? If?I make that return address where my shellcode is a bunch of "A"s then again the process crashes with the same error as before.?By the process not dying does it mean that it's running my shellcode, but not successfully?
Current thread:
- A Wee Bit of Help J. M. Seitz (Mar 16)
- A Wee Bit of Help H D Moore (Mar 16)
- A Wee Bit of Help mmiller at hick.org (Mar 16)
- A Wee Bit of Help H D Moore (Mar 16)