Re: Exploiting network services question

[James Longstreet <jlongs2 () uic edu>]

On Mon, 13 Dec 2004 just-a-nick () gmx net wrote:

> I have a question regarding the exploitation of network services.
> If I send the following string to a service
>
> ["A"x78]["abcd"][junk - up to 430 bytes]
>
> I can control eip with "abcd". How can I exploit this? Is there a good
> tutorial that I should read? Unfortunately I did not find anything
usefull
> with google...

I'm not sure I understand your question.  Does the value you put in for
eip have to be alphabetic, or is the "abcd" simply notation for "anything
I want?"

Both are exploitable -- at least theoretically.  If the return address
can be anything you want, and if that 430 bytes of junk is also
controlled by you, put a payload there.  Find out the address of
that payload (hint: use gdb), and replace "abcd" with that address.

If it has to be alphabetic, it still may be exploitable.  The original
return address is probably going to be something in the 0x08xxxxxx range,
which is usually where code is.  Since 0x08 isn't alphabetic, you can't
overflow the whole address.  But if you're precise, you can control 1, 2,
or 3 bytes of it.  See if there's a bit of code in the range that you can
set it to that might be fun to execute.