Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MS05-039

From: A A <hd78432 () yahoo com>
Date: Tue, 13 Sep 2005 05:11:12 -0700 (PDT)
  Can anyone tell me the name of the function or
memory location where the vulnerability occurs (and in
either the .exe or one of the .dlls)?  I've been
digging for this for a while.

--- A A <hd78432 () yahoo com> wrote:


The HOD exploit for ms05-39 has been tested on
windows
2000 sp4.  Based upon the comments in the machine
code
for the rpc call I am assuming the return address
for
the  buffer overflow to be 0x767a1567.  Is this
memory
address the return address for the buffer overflow?

  If it is the case that this address is the return
address for the buffer overflow the code that it
returns to looks something like this:
"pop eax
 pop esi
 ret"
Why would overflowing to an address that pops a
value
into the eax register cause this program to become
vulnerable?  I don't see why overflowing to this
address would cause a program to become vulnerable. 


  Does anyone know what the machine code looks like
exactly before the spot in the vulnerable program
where this vulnerability occurs?   


      
              


______________________________________________________

Click here to donate to the Hurricane Katrina relief
effort.
http://store.yahoo.com/redcross-donate3/





                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: