Vulnerability Development mailing list archives
Re: POC Heap based buffer overflow
From: "Roland Postle" <mail () blazde co uk>
Date: Sat, 12 Apr 2003 13:41:50 -0400
On Fri, 11 Apr 2003 15:16:11 -0400, Aaron C. Newman (Application Security, Inc.) wrote:
The payload is not written directly to ESP or EBP so I can not simply call somewhere in the program where there is a "call esp" or "jmp esp". One of the areas overwritten does seem to be consistently written to ESP + 0x1D00 or EBP + 0x1D10 so I was hoping to find someplace in code where it executes: add esp, 0x1D00 jmp esp
Sometimes you'll find you can control a dword further down the stack, then you can find an add esp, 0x100, retn to get you there, then again find another dword a bit further down that you control, so you end up 'hopping' down the stack. But I doubt it would work in your case, 0x1D00 is a long way to go. The other thing to look for is a bit of static memory you can control, it need only be a few bytes long.. enough to put an add esp, 0x1d00 retn in. Then jump there. If your target app is single threaded (or your overflow is always in the first thread) you may even find a good bit of 'static' memory further down the stack. In my experience the first thread always gets a stack based at the same address (0x00140000) tho it may be OS version specific. - Blazde
Current thread:
- Buffer overflow in Dovecot or OpenSSL? Timo Sirainen (Apr 08)
- Re: Buffer overflow in Dovecot or OpenSSL? Admin (Apr 09)
- Re: Buffer overflow in Dovecot or OpenSSL? Timo Sirainen (Apr 09)
- Re: Buffer overflow in Dovecot or OpenSSL? 3APA3A (Apr 09)
- Re: Buffer overflow in Dovecot or OpenSSL? Timo Sirainen (Apr 09)
- POC Heap based buffer overflow Aaron C. Newman (Application Security, Inc.) (Apr 11)
- Re: POC Heap based buffer overflow Roland Postle (Apr 12)
- Re: Buffer overflow in Dovecot or OpenSSL? Admin (Apr 09)