Vulnerability Development mailing list archives
Exploiting new IE Object Type Overflow
From: Dave <chaboyd77 () yahoo com>
Date: 5 Jun 2003 03:44:40 -0000
Hi, I've had really good success with basic overflows and have been trying to attempt something moderate+. I've successfully duplicated the overflow (IE Object Type) (ESP doesn't seem to be overwritten, but EDI is). However, since the value located in EDI is referenced then program flow can be controlled?? I just can't seem to do anything with EDX as stated in the EEYE Advisory.. "This allows us to take control of key registers so as to run code that we specify, which will be available at the EDX register. On my system (2000 Pro SP3) EDX always has a value of 0 and nothing I do changes its value or any other registers value (besides EDI). Also, this is different from a regular stack overflow as placing the address of a JMP ESP in EDI doesn't always seem to be gauranteed to point to my code. Is there something really easy I'm missing here? Thanks, Dave
Current thread:
- Exploiting new IE Object Type Overflow Dave (Jun 05)
- RE: Exploiting new IE Object Type Overflow Brett Moore (Jun 06)