Dailydave mailing list archives
Re: A 3 a.m. Riddle
From: "Dave Korn" <dave.korn () artimi com>
Date: Wed, 30 May 2007 15:15:13 +0100
On 30 May 2007 07:13, Nicolas Waisman wrote:
Lets have a fun riddle to cheer up the spirit ( Mate at 11pm, its all
night insomnia.)
The riddle: Let said you are trying to exploit a remote service on an
old Windows 2000 (whatever SP you want) and the primitive is the following
inc [edi] // you control edi
What would be the best option for edi?
Depends what else you control apart from edi, and whether you can do it more
than once. If you can overwrite an SEH handler, point edi at an illegal
address to invoke your code. If you can do it multiple times, perhaps you can
point edi somewhere on the stack and increment a stored ebp to point at data
you control. Don't forget the possibility of pointing it at a
non-word-aligned address to e.g increment just the high byte of a stored
pointer.
cheers,
DaveK
--
Can't think of a witty .sigline today....
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- A 3 a.m. Riddle Nicolas Waisman (May 30)
- Message not available
- Fwd: A 3 a.m. Riddle Isaac Dawson (May 30)
- Message not available
- Re: A 3 a.m. Riddle Dave Korn (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)
- Re: A 3 a.m. Riddle Matt Conover (May 30)
- Re: A 3 a.m. Riddle jf (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)
- Re: A 3 a.m. Riddle Dave Aitel (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)
- Re: A 3 a.m. Riddle Brett Moore (May 30)
- <Possible follow-ups>
- Re: A 3 a.m. Riddle Piotr Bania (May 30)
- Re: A 3 a.m. Riddle Chris Anley (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)