Metasploit mailing list archives
EBX and EDI overwrite instead of EAX and EIP
From: Glinares at PCOnsite.com (Greg Linares)
Date: Mon, 23 Oct 2006 16:01:19 -0700
I just noticed that i didn't copy that in there. And was on the way to
reposting.
7C91B3F2 . 8B5E 0C MOV EBX,DWORD PTR DS:[ESI+C]
7C91B3F5 . 899D 9CFEFFFF MOV DWORD PTR
SS:[EBP-164],EBX
here >> 7C91B3FB . 8B0B MOV ECX,DWORD PTR DS:[EBX]
7C91B3FD . 3B4F 04 CMP ECX,DWORD PTR DS:[EDI+4]
7C91B400 . 0F85 68BA0100 JNZ ntdll.7C936E6E
7C91B406 . 3BC8 CMP ECX,EAX
7C91B408 . 0F85 60BA0100 JNZ ntdll.7C936E6E
-----Original Message-----
From: H D Moore [mailto:hdm at metasploit.com]
Sent: Monday, October 23, 2006 3:54 PM
To: framework at metasploit.com
Subject: Re: [framework] EBX and EDI overwrite instead of EAX and EIP
While the register dumps are great, we need to see the actual opcode
being
executed with these registers. This should look something like:
mov [ebx], edi
-HD
On Monday 23 October 2006 17:47, Greg Linares wrote:
EIP 7C91B3FB ntdll.7C91B3FB
Current thread:
- EBX and EDI overwrite instead of EAX and EIP Greg Linares (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP H D Moore (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP Greg Linares (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP H D Moore (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP Greg Linares (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP Greg Linares (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP H D Moore (Oct 23)