Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Remote buffer overflow in httpdx

From: Freddie Vicious <fred.vicious () gmail com>
Date: Fri, 16 Oct 2009 07:42:21 -0700
Just saw this on Twitter, an MSF exploit published:
http://www.rec-sec.com/2009/10/16/httpdx-buffer-overflow-exploit/

On Fri, Oct 9, 2009 at 7:58 PM, <pankaj208 () gmail com> wrote:


The addr value used is required to reach the ret instruction. The value
used 0x63b8624f lies in idata segment of n.dll
Note that in order to reach ret instruction,
value at addr+0x0e0f should be non-zero for
if(isset(client->serve.redirect)) to succeed  => 004069E1  CMP BYTE PTR
DS:[EAX+0E0F],0
and
addr+0x0f24 should be writable for client->state = STATE_DONE to execute.
=> 00406AAF  MOV DWORD PTR DS:[EAX+0F24],0

The other two addresses used are
ret1 = 0x64f8134b (pop ret in core.dll) to pop addr and return to ret2
ret2 = 0x7c874413 (jmp esp in kernel32.dll) to jump to shellcode following
ret2.

Though I am able to get a shell, the retn/offsets used are not universal.

Thanks,
Pankaj





-- 
Best wishes,
Freddie Vicious
http://twitter.com/viciousf

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: