Dailydave mailing list archives
Re: Exploitation of EIP with only ASCII
From: Andrew Christensen <anc () fortconsult net>
Date: Wed, 22 Mar 2006 00:32:46 +0100
Hmmm.. I've just been looking at the scenario of overflows where only [A-Z] can be used due to filters, specifically on Windows XP. After a some more inspection, it seems like NONE of the loaded modules are actually at memory addresses which can be represented using uppercase ASCII letters....? As far as I can tell, this basically means the only option is performing a partial overwrite and ending up somewhere else in the module where the overflow actually occurs, at addresses of xxxx0041 to xxxx005A. So - I guess the correct approach is looking for anything useful within the overflown module, within the scope of those addresses. Is there anything I'm missing? I would be very appreciative of any insight... - Andrew P.S. I suppose the fact that NONE of the modules are at upper-case-letter-addressable addresses could have something to do with the specific language pack on the machine I used for testing, so if anybody sees other results I'd be interested to hear that to. "Halvar Flake" <HalVar () gmx de> To 20-03-2006 08:55 H D Moore <hdm-daily-dave () digitaloffense net> cc dailydave () lists immunitysec com Subject Re: [Dailydave] Exploitation of EIP with only ASCII
I've tried to see if I could find a valid JMP, JE, JNE CALL EBX but so
In many situations, an "add esp, xxx -- retn" can be just as useful. -- Echte DSL-Flatrate dauerhaft für 0,- Euro*! "Feel free" mit GMX DSL! http://www.gmx.net/de/go/dsl
Current thread:
- Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Steven M. Christey (Mar 18)
- Re: Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Joel Eriksson (Mar 18)
- Exploitation of EIP with only ASCII CIRT.DK Mailinglists (Mar 19)
- Re: Exploitation of EIP with only ASCII H D Moore (Mar 19)
- Re: Exploitation of EIP with only ASCII Halvar Flake (Mar 20)
- Re: Exploitation of EIP with only ASCII Andrew Christensen (Mar 21)
- Re: Exploitation of EIP with only ASCII jnf (Mar 22)
- Exploitation of EIP with only ASCII CIRT.DK Mailinglists (Mar 19)
- Re: Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Joel Eriksson (Mar 18)