Metasploit mailing list archives
EBX and EDI overwrite instead of EAX and EIP
From: glinares.code at gmail.com (Greg Linares)
Date: Mon, 23 Oct 2006 15:47:24 -0700
This was obviously after exploit: ECX seems to be pointing somwhere in the "A" buffer EBX and EDI as you can see i can put any value in them. EAX 001669F0 ECX 00004141 EDX 00AD0030 EBX 88888888 ESP 0012F2D0 EBP 0012F4EC ESI 001669E8 EDI 77777777 EIP 7C91B3FB ntdll.7C91B3FB C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G) DR0 00000000 DR1 00000000 DR2 00000000 DR3 00000000 DR6 00000000 DR7 00000000 and here is the stack 0012F2F4 /0012F334 0012F2F8 |4CDE2A15 RETURN to IDPDX32.4CDE2A15 from <JMP.&IDAPI32.OsMuxUnlock> 0012F2FC |010587BC 0012F300 |4BE5274A IDAPI32.4BE5274A 0012F304 |00000001 0012F308 |77777777 0012F30C |0012F334 0012F310 |00000000 0012F314 |00120000 0012F318 |00000000 0012F31C |0012F300 0012F320 |4CDE2877 RETURN to IDPDX32.4CDE2877 from IDPDX32.4CE163F4 0012F324 |0012FC18 0012F328 |FFFFFFFF 0012F32C |01065DBC 0012F330 |00000000 0012F334 ]0012F34C 0012F338 |4BE4095E RETURN to IDAPI32.4BE4095E from IDAPI32.4BE41D04 0012F33C |0012F7D8 0012F340 |0000002D 0012F344 |6BDE97A6 0012F348 |0012F7D8 0012F34C \0012F7B8 adn on closer inspection it appears its trying to turn the parameter into a lowercase format 001659F0 6C 61 64 64 72 65 73 73 00 6C 6F 77 65 72 00 41 laddress.lower.A 00165A00 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00165A10 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA ...... huge buffer.... 001669E0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 001669F0 77 77 77 77 88 88 88 88 00 00 00 00 00 00 00 00 wwww????........ Hope this helps and of course credit will be noted and given :) On 10/23/06, H D Moore <hdm at metasploit.com> wrote:
The important part is what operation is performed with EBX and EDI. Can you paste the actual operation and the register states? -HD On Monday 23 October 2006 16:20, Greg Linares wrote:[x90 Sled] [Shell Code] [EDI overwrite (JMP to EAX + Location of Shellcode)] [EBX overwrite (JMP to EDI)] I am assuming this is an exploitable vector but I could be wrong. Am I on the right path for this type of issue?
Current thread:
- EBX and EDI overwrite instead of EAX and EIP Greg Linares (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP H D Moore (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP Greg Linares (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP H D Moore (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP Greg Linares (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP Greg Linares (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP H D Moore (Oct 23)