Dailydave mailing list archives

Re: Exploitation of EIP with only ASCII

From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Sun, 19 Mar 2006 16:57:41 -0600

The process I tend to use:

1) Dump the process's address space with memdump.exe (framework/tools), 
then use msfpescan -d <directory created by memdump> with -s/-j/-x to 
find a valid return address. Write a filtering script or just hack up 
msfpescan to only display addresses that match your allowed character 
set.

2) Try to perform a partial overwrite of the return address/SEH ptr and 
see if I can changed the LSB's to point to an interesting opcode in 
the .text section of the calling function (or wherever the SEH happened 
to be). If the string is null-terminated for you by the application 
(often the case), this gives you access to 0x00XXYYZZ which gives you 
even more options for your return.

Goodluck!

-hD

On Sunday 19 March 2006 15:08, CIRT.DK Mailinglists wrote:

Hey there

I have a question, does any of you have ideas on how to exploit a
buffer overflow where the EIP is controlled, but the only valid
characters for the part where the EIP are located on the stack are A-Z
uppercase and nothing else.

In the same bug the SEH are also controlled, but also the only valid
characters are uppercase A-Z (x41-x5A)

I've tried to see if I could find a valid JMP, JE, JNE CALL EBX but so
far no luck.

Any Ideas

Regards
Dennis Rand
CIRT.DK

Current thread:

Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Steven M. Christey (Mar 18)
- Re: Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Joel Eriksson (Mar 18)
  - Exploitation of EIP with only ASCII CIRT.DK Mailinglists (Mar 19)
    - Re: Exploitation of EIP with only ASCII H D Moore (Mar 19)
    - Re: Exploitation of EIP with only ASCII Halvar Flake (Mar 20)
    - Re: Exploitation of EIP with only ASCII Andrew Christensen (Mar 21)
    - Re: Exploitation of EIP with only ASCII jnf (Mar 22)