Metasploit mailing list archives
question about the return addr of the serv-u exploit
From: hdm at metasploit.com (H D Moore)
Date: Fri, 9 Apr 2004 12:51:29 -0500
Welcome to the mailing list :) There are about 60 people currently subscribed, feel free to post on anything relevant to the Framework or system exploitation in general. On Friday 09 April 2004 12:06, Guy Incognito wrote:
i'm wondering you can use the return addr 0x00401877, for the serv-u exploit i have test it with the framework and it works great. but i have once coded my own exploit and when i there use this offset it doesn't work because of the null-byte.
This was Spoonm's trick, but I don't see him online... Since the return address is the last four bytes of the request, the server actually writes the trailing NULL byte for us when copying it from the recieve buffer. This return address points to the x86 egg searcher code, which then scans memory for the real payload.
i attached olly on the process and i can see that at the begining there is 0x00401877 in memory but the serv-u process pass some functions and then the NULL-bytes is suddently 0xeb.
If you make your overflow just long enough to trash this return, it should work fine. There were a few other tricks to exploiting Serv-U, but since its Spoonm's code, I will let him explain those. -HD
Current thread:
- question about the return addr of the serv-u exploit Guy Incognito (Apr 09)
- question about the return addr of the serv-u exploit H D Moore (Apr 09)
- <Possible follow-ups>
- question about the return addr of the serv-u exploit ninjatools at hush.com (Apr 09)
- [Article] Security tool more harmful than helpful? Technoboy (Apr 10)