Metasploit mailing list archives
exploitable???
From: arahzone-msf at yahoo.com (arahzone-msf at yahoo.com)
Date: Sat, 24 Jun 2006 16:02:20 -0700 (PDT)
Hi, Thanks for your help, this thing is really hard to exploit. John Sprocket <sargoniv at gmail.com> wrote: whenever you look at something like this to see if it's exploitable you can usually see a dependency chain. to summarize. yes, it's exploitable. would it be a pain in the ass? yea, prolly. so your goal is to execute co0e of your choice via a function pointer. let's be backwardz: 1B0114A3 FF52 10 CALL DWORD PTR DS:[EDX+10] 1B0114A1 8B11 MOV EDX,DWORD PTR DS:[ECX] 1B01149A 8B8C87 B0000000 MOV ECX,DWORD PTR DS:[EDI+EAX*4+B0] 1B011497 0FBFC0 MOVSX EAX,AX let's summarize whatcha got: your goal == calling [edx+0x10]. edx depends on the value at [ecx] ecx then depends on the value at [edi + eax*4 + 0xb0] and you control some of eax. our primary variable here is edi which probably gets allocated somewhere. so at the poc [point-of-crash] your process, you're prolly gonna want to know the state of your regs, like mainly edi. see what address edi was allocated at. then add 0xb0 to it. now at 0x1b0114a1, it gets dereferenced again. so, look around for a location where eax points to an address that points to code that you control. then subtract 10 and you're good to go. after you got that down...then comes figuring out a way to make it "reliable". that's the exciting^W"fun" part. :) .sargoniv skape's shit looks like it will rock btw. http://metasploit.blogspot.com/2006/04/interprocedural-data-flow-dependencies.html#links ----pardon this archive paste--- Subject: [framework] exploitable??? From: Date: Thu, 22 Jun 2006 14:24:14 -0700 (PDT) Reply-to: framework[at]metasploit.com ________________________________ Hi, I am controlling AX in the code below but I don't know how to exploit it. Is this exploitable? 1B011497 0FBFC0 MOVSX EAX,AX 1B01149A 8B8C87 B0000000 MOV ECX,DWORD PTR DS:[EDI+EAX*4+B0] 1B0114A1 8B11 MOV EDX,DWORD PTR DS:[ECX] 1B0114A3 FF52 10 CALL DWORD PTR DS:[EDX+10] Thanks in advance -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060624/830f0591/attachment.htm>
Current thread:
- exploitable??? arahzone-msf at yahoo.com (Jun 22)
- <Possible follow-ups>
- exploitable??? John Sprocket (Jun 22)
- exploitable??? arahzone-msf at yahoo.com (Jun 24)