Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Exploiting new IE Object Type Overflow

From: "Brett Moore" <brett () softwarecreations co nz>
Date: Fri, 6 Jun 2003 15:16:16 +1200

IE version:6.0.2800.1106

I too seem unable to replicate the overflow in a way described in the eEye
advisory, but there's always more than one way to skin a cat.

<object type="[/x64]AAAAAAAAAAAAXXXXNOPSLIDESHELLCODE">Cooler Than Centra
Spike</object>

causes an exception. "0x70bf6c55" reference memory at "0x58585858". can't be
written.
70BF6C55   mov         byte ptr [edi],al

By supplying a valid 'writeable' address we bypass this exeception and end
up with.

Unhandled exception. Access Violation at 0x41414141.

Having a look at the address that we used for the valid writeable address we
can see
a full copy of our exploit string.

Thus if we plug our writeable address instead of x, the write will copy out
shellode
to our 'known' writeable address space. Then by using an adjusted value for
the AAAA
we can jump straight to the 'known' location of our shellcode.

Hopefully Drew will make some comments around the difference's between
these. Perhaps
different buffer sizes affect different versions differently?.

Brett

-----Original Message-----
From: Dave [mailto:chaboyd77 () yahoo com]
Sent: Thursday, June 05, 2003 3:45 PM
To: vuln-dev () securityfocus com
Subject: Exploiting new IE Object Type Overflow




Hi,

I've had really good success with basic overflows and have been trying to
attempt something moderate+. I've successfully duplicated the overflow (IE
Object Type) (ESP doesn't seem to be overwritten, but EDI is). However,
since the value located in EDI is referenced then program flow can be
controlled?? I just can't seem to do anything with EDX as stated in the
EEYE Advisory..

"This allows us to take control of key registers so as to run code that we
specify, which will be available at the EDX register.

On my system (2000 Pro SP3) EDX always has a value of 0 and nothing I do
changes its value or any other registers value (besides EDI).  Also, this
is different from a regular stack overflow as placing the address of a JMP
ESP in EDI doesn't always seem to be gauranteed to point to my code.

Is there something really easy I'm missing here?
Thanks,
Dave
Previous By Date Next
Previous By Thread Next

Current thread: