ColdFusion Heap Overflow -continued

["Gary O'leary-Steele" <garyo () sec-1 com>]

Hi all,

I am attempting to write exploit code for the coldfusion heap overflow
(still).

On advice from various on the secfocus list i have installed softice and
located the exception handler in question.

The handler code starts at

0x77f82b95

The code I am trying to manipulate is at

0x77f8e43b      Mov ecx, [ebp+0x18]
0x77f8e43e      call ecx

where ebp changes each time the exception is called

I can control the following values within the following instruction,

mov    [ecx] ,  eax


where ecx and eax can be any value I specify. The problem (or my lack of
understanding) is that the stack frame is set-up when the exception is
handled and i can't seem to write to [ebp+0x18] due to the fact it changes
etc (stop me if i'm wrong)

attempting to overwrite the instruction (sorry if this is a basic can't do)
with mov [ecx],eax where ecx = 0x77f8e43b and eax =0x41414141 doesn't seem
to do anything ?


Any help or pointers are greatly appreciated.




Thanks in advance.

Kind Regards
Gary
Sec-1