Vulnerability Development mailing list archives
Re: exploit for W98 long filenameextensions buffer overflow
From: 11a () GMX NET (Bluefish)
Date: Tue, 2 May 2000 02:55:58 +0200
I've no exprerience of writing buffert overflows, but it would seem that the difference between Benjamin H.'s explorer.exe and the once the exploit works with is quite minor?
Bytes bei CS:EIP: Stapelwerte: 43427044 43cccccc 43427244 43427344
-------------^^^^^^ sample overflow --^^^^^^^^^^^ 'junk code' from overflow, change to 90 hex or change EIP somewhat So, using 90 (NOP) which should be no problem to use in a filename, would solve this? make the five (or all) charaters before the 'exploit' 90 hex.
Does anyone know, how to get the EIP pointing to the stack ?? Or might there be a way to execute code that's in EBP (as we control it, too); something like "mov [ebx], ebp ; jmp ebx" ?
To execute code, you have to be able to change CS:EIP (where you execute code) or overflow a static buffer in the code-segment (don't know if this is common in most systems?) Typically a buffert overflow is to overflow something on the stack and then overwrite the return address. Example: | some stuff | <- ESP points here [ char[23] y | | return address | So, once writing to y[23] (or rather, y[23..27]) you will store a new value for EIP. Once the function exits, it will fetch the return address using 'RET'. As you have overwritten it, EIP will change to whereever you asked it to. So unless it's a very unusual function, controll over EBX won't be usefull. Now, that above is based on theory tought in school, no real world experience. So I won't gaurantee 100% correctness. But EBP shouldn't be very usefull. More information should be available in some tutorial on the net, I presume. It's my impression that you missunderstood something, it seems quite clear to me that the exploit was successfull in changing EIP, and that no mayor changes are needed to make the overflow executable on both variants of win98 explorer.exe.
I hope somebody out there has a solution or knows at least a tool for finding static code (perhaps in the kernel?).
You mean in order to do system calls? way beyond my knowledge of windows internals. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: exploit for W98 long filenameextensions buffer overflow Bluefish (May 01)