Re: Exploitation of EIP with only ASCII

[jnf <jnf () nosec net>]

Andrew,

given your options what you should look for is the ability to either
overwrite one or two bytes of one of the saved addresses on the stack, OR
overwriting something that is used later, for instance if you can
overwrite data that is later pop'd into a register than used as an index
into an array, you may have significant leverage. The bottom line is to be
creative, there are many regions of memory, one of which you control,
where can your control take you exactly? You very well could be able to
change the control flow of the program via a 'if (variable_on_the_stack ==
1) function1(); else function2(variable_on_the_stack2);

As I understood the situation, the allowable characters are [A-Z], this
basically equates to a nop on x86/x86_64, but presuming you give the
program what it expects, what future outcomes can you affect?

Welcome to the rabbit hole Alice.

--

There are only two choices in life. You either conform the truth to your desire,
or you conform your desire to the truth. Which choice are you making?


On Wed, 22 Mar 2006, Andrew Christensen wrote:

> Date: Wed, 22 Mar 2006 00:32:46 +0100
> From: Andrew Christensen <anc () fortconsult net>
> To: Halvar Flake <HalVar () gmx de>
> Cc: dailydave () lists immunitysec com
> Subject: Re: [Dailydave] Exploitation of EIP with only ASCII
>
> Hmmm.. I've just been looking at the scenario of overflows where only [A-Z]
> can be used due to filters, specifically on Windows XP.
>
> After a some more inspection, it seems like NONE of the loaded modules are
> actually at memory addresses which can be represented using uppercase ASCII
> letters....?
>
> As far as I can tell, this basically means the only option is performing a
> partial overwrite and ending up somewhere else in the module where the
> overflow actually occurs, at addresses of xxxx0041 to xxxx005A.
>
> So - I guess the correct approach is looking for anything useful within the
> overflown module, within the scope of those addresses.
>
> Is there anything I'm missing? I would be very appreciative of any
> insight...
>
> - Andrew
>
> P.S.
> I suppose the fact that NONE of the modules are at
> upper-case-letter-addressable addresses could have something to do with the
> specific language pack on the machine I used for testing, so if anybody
> sees other results I'd be interested to hear that to.
>
>
>
>
>
>              "Halvar Flake"
>              <HalVar () gmx de>
>                                                                         To
>              20-03-2006 08:55          H D Moore
>                                        <hdm-daily-dave () digitaloffense net>
>                                                                         cc
>                                        dailydave () lists immunitysec com
>                                                                    Subject
>                                        Re: [Dailydave] Exploitation of EIP
>                                        with only ASCII
>
>
>
>
>
>
>
>
>
>
>
> > > I've tried to see if I could find a valid JMP, JE, JNE CALL EBX but so
>
> In many situations, an "add esp, xxx -- retn" can be just as useful.
>
> --
> Echte DSL-Flatrate dauerhaft für 0,- Euro*!
> "Feel free" mit GMX DSL! http://www.gmx.net/de/go/dsl