Any hints for this port (Zenworks sploit) ?

[nowwhat at free.fr (nowwhat at free.fr)]

Just updating my thread with today's work; The more inputs the better.

When EIP got overwriten, it seemed like the stack contained a pointer to my
buffer 8bytes below the top. So I figured I would find a return adress with a
"pop pop ret" sequence.
I looked up a return adress that would also be ASCII compliant, and spamed the
memory with it - because the offset that get poped is random. It also makes for
a non-reliable exploit, since the buffer of data gets randomly shifted -probably
because it was alocated as bytes/chars.

When finaly the program hangs with the stack overwriten with the good return
address, I just can't debug any further. I put a breakpoint on my return adress
but it never get there; The application dies with a C0000005 error code.

It seems to me that this could be exploitable, but I'm struggling quite a bit
for an exploit that will work once out of ten at best.

every comment is apreciated.


Selon Jerome Athias <jerome.athias at free.fr>:

> nowwhat at free.fr a ?crit :
> > Merci q:
> >
> > Egghunting will probably be a good idea in the future, the problem for now
> is I
> > can't execute s**t since I just randomly pop something I can't predict into
> EIP.
> > The server justs close the connexion when I spam it with my return address.
> It's
> > probably ASCII related, although I'm not too sure how I could both write
> the
> > return adress and be ASCII compliant...
> Are you sure that you have correctly retrieved badchars?
> (
http://en.wikibooks.org/wiki/Metasploit/WritingWindowsExploit#Dealing_with_badchars
> )
> Using breakpoints in your debugger (and maybe Wireshark) should help you
> a lot...
>
> going further, please think about the nice encoders of the MSF ;-)
>
> Good luck
> /JA
>
> PS: the Immunity debugger includes some useful function to deal with
> egghunting and so...