Dailydave mailing list archives

Re: Exploitation of EIP with only ASCII

From: Andrew Christensen <anc () fortconsult net>
Date: Wed, 22 Mar 2006 00:32:46 +0100

Hmmm.. I've just been looking at the scenario of overflows where only [A-Z]
can be used due to filters, specifically on Windows XP.

After a some more inspection, it seems like NONE of the loaded modules are
actually at memory addresses which can be represented using uppercase ASCII
letters....?

As far as I can tell, this basically means the only option is performing a
partial overwrite and ending up somewhere else in the module where the
overflow actually occurs, at addresses of xxxx0041 to xxxx005A.

So - I guess the correct approach is looking for anything useful within the
overflown module, within the scope of those addresses.

Is there anything I'm missing? I would be very appreciative of any
insight...

- Andrew

P.S.
I suppose the fact that NONE of the modules are at
upper-case-letter-addressable addresses could have something to do with the
specific language pack on the machine I used for testing, so if anybody
sees other results I'd be interested to hear that to.




                                                                       
             "Halvar Flake"                                            
             <HalVar () gmx de>                                           
                                                                        To
             20-03-2006 08:55          H D Moore                       
                                       <hdm-daily-dave () digitaloffense net>
                                                                        cc
                                       dailydave () lists immunitysec com 
                                                                   Subject
                                       Re: [Dailydave] Exploitation of EIP
                                       with only ASCII

I've tried to see if I could find a valid JMP, JE, JNE CALL EBX but so


In many situations, an "add esp, xxx -- retn" can be just as useful.

--
Echte DSL-Flatrate dauerhaft für 0,- Euro*!
"Feel free" mit GMX DSL! http://www.gmx.net/de/go/dsl

Current thread:

Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Steven M. Christey (Mar 18)
- Re: Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Joel Eriksson (Mar 18)
  - Exploitation of EIP with only ASCII CIRT.DK Mailinglists (Mar 19)
    - Re: Exploitation of EIP with only ASCII H D Moore (Mar 19)
    - Re: Exploitation of EIP with only ASCII Halvar Flake (Mar 20)
    - Re: Exploitation of EIP with only ASCII Andrew Christensen (Mar 21)
    - Re: Exploitation of EIP with only ASCII jnf (Mar 22)