question about the return addr of the serv-u exploit

[hdm at metasploit.com (H D Moore)]

Welcome to the mailing list :) There are about 60 people currently 
subscribed, feel free to post on anything relevant to the Framework
or system exploitation in general.

On Friday 09 April 2004 12:06, Guy Incognito wrote:
> i'm wondering you can use the return addr 0x00401877, for the serv-u
> exploit i have test it with the framework and it works great. but
> i have once coded my own exploit and when i there use this offset it
> doesn't work because of the null-byte.

This was Spoonm's trick, but I don't see him online...

Since the return address is the last four bytes of the request, the server 
actually writes the trailing NULL byte for us when copying it from the 
recieve buffer. This return address points to the x86 egg searcher code, 
which then scans memory for the real payload.

> i attached olly on the process and i can see that at the begining
> there is 0x00401877 in memory but the serv-u process pass some
> functions and then the NULL-bytes is suddently 0xeb.

If you make your overflow just long enough to trash this return, it should 
work fine. There were a few other tricks to exploiting Serv-U, but since 
its Spoonm's code, I will let him explain those.

-HD