Vulnerability Development mailing list archives
Re: 3COM TFTPD Overflow: SEH Overwrite
From: lists () skilltube com
Date: Mon, 04 Feb 2008 18:31:51 +0100
What vulnerability are you trying to exploit? This one? http://www.securityfocus.com/bid/21322 In your document, you say "I look for POP/POP/RET ws2_32.dll (to avoid SafeSEH restrictions?)" are you telling or asking? Can you please provide a little more info. Otherwise it is hard to help here. If you try to exploit the vulnerability mentioned above, send the following request (perl style): $buffer="\x00\x01"; $buffer .=("\x41\x00"); $buffer .=("A"x480); That should give you control over eip. By selecting the right return address, you end up in a reliable exploit. Quoting jeremy.junginger () gmail com:
I'm attempting to exploit an already known bug in 3COM TFTPD server, and execute "calc.exe" with my shellcode. I have control of ECX/EIP, and can overwrite both SEH and pointer to next SEH successfully, and have used:Pointer to next SEH: \xeb\x10\x90\x90 SEH: \x69\x12\xab\x71 (POP/POP/RET in ws2_32.dll) A full writeup with screenshots is available at: http://filebin.ca/pmuwqm/SEHOverwrite.rtfI'm getting "Debugged program was unable to process exception", so I hit shift+f9 (in olly) and it terminates with some strange exit code. Could you take a peek and see what I'm missing here?Thanks guys! -jj
Current thread:
- Re: 3COM TFTPD Overflow: SEH Overwrite lists (Feb 04)
- <Possible follow-ups>
- Re: 3COM TFTPD Overflow: SEH Overwrite the_insider (Feb 04)
- Re: Re: 3COM TFTPD Overflow: SEH Overwrite jeremy . junginger (Feb 06)
- Re: Re: 3COM TFTPD Overflow: SEH Overwrite lists (Feb 08)