Metasploit mailing list archives

2 nice pop/pop/ret :) (update)

From: class101 at hat-squad.com (class 101)
Date: Wed, 9 Mar 2005 14:09:45 +0100

but can be useful when you are NOT exploiting via the SEH frame overwrites
on SP2 ;)


-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------
----- Original Message -----
From: "H D Moore" <hdm at metasploit.com>
To: <framework at metasploit.com>; "class 101" <class101 at hat-squad.com>
Sent: Wednesday, March 09, 2005 10:33 AM
Subject: Re: [framework] 2 nice pop/pop/ret :) (update)

This actually works on SP0, SP1, SP1a, and SP2 (the last one is a ret 0x16
vs a ret 0x04). Unfortunately, pop/pop/ret addresses in a system library
are completely useless under SP2 when exploiting SEH frame overwrites.

-HD

On Wednesday 09 March 2005 03:01, class 101 wrote:

0x71ABE325 pop esi - pop - retbis - WS2_32.DLL

Current thread:

2 nice pop/pop/ret :) (update) class 101 (Mar 09)
- 2 nice pop/pop/ret :) (update) H D Moore (Mar 09)
  - 2 nice pop/pop/ret :) (update) class 101 (Mar 09)