Metasploit mailing list archives

question about the return addr of the serv-u exploit

From: ninjatools at hush.com (ninjatools at hush.com)
Date: Fri, 9 Apr 2004 12:09:31 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yeah, so you overwrite the SEH, which then jmps to a pop pop ret.  The
addr you listed hits a pop pop ret and xor eax, eax pop pop ret (depending
on version) I believe...
after the pop pop ret, we are at the dword before the seh address we
overwrote.  So it goes something like.

[stuff][4 bytes of code][0x00401877]

and then you land in the 4 bytes of code.  I then jmp backwards from
the 4 bytes into stuff, which is the searcher code that finds the rest
of the payload, which was specified as the filename of the chmod command.

It stops writing at the "\x00" in "\x77\x18\x40\x00", and then the string
function cuts the buffer and null terminates it for us.

That should be pretty much it. You can see the search code from Pex::Searcher,
 and the JmpShort code from Pex::x86 to do the jmp instruction on the
fly based on the size of Pex::Searcher (so there is no nops, everything
is absolute).

There are some other tricks... exercise for the reader ? ;)

Oh yeah, and hey mailing list people :)

- -spoon

i'm wondering you can use the return addr 0x00401877, for the serv-
u
exploit i have test it with the framework and it works great. but
i have once coded my own exploit and when i there use this offset
it
doesn't work because of the null-byte.

i attached olly on the process and i can see that at the begining
there is 0x00401877 in memory but the serv-u process pass some
functions and then the NULL-bytes is suddently 0xeb.

do u you any trick???
i hope i can get any answer, it will save me a lot of debugging
effort.

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAkB29iIACgkQtCeTLzI39eP0TgCgpipfI2MTGW9ee5qwfj2bCZp1FKAA
n2HFoXGFgNozdCyjavNU8XjYAvSp
=G7n2
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Current thread:

question about the return addr of the serv-u exploit Guy Incognito (Apr 09)
- question about the return addr of the serv-u exploit H D Moore (Apr 09)
- <Possible follow-ups>
- question about the return addr of the serv-u exploit ninjatools at hush.com (Apr 09)
  - [Article] Security tool more harmful than helpful? Technoboy (Apr 10)