Vulnerability Development mailing list archives
RE: MS05-039
From: "Ben Nagy" <ben () iagu net>
Date: Mon, 12 Sep 2005 10:45:22 +0700
-----Original Message----- From: A A [mailto:hd78432 () yahoo com] Sent: Friday, September 09, 2005 6:52 PM To: vuln-dev () securityfocus com Subject: MS05-039 The HOD exploit for ms05-39 has been tested on windows 2000 sp4. Based upon the comments in the machine code for the rpc call I am assuming the return address for the buffer overflow to be 0x767a1567. Is this memory address the return address for the buffer overflow? If it is the case that this address is the return address for the buffer overflow the code that it returns to looks something like this: "pop eax pop esi ret" Why would overflowing to an address that pops a value into the eax register cause this program to become vulnerable? I don't see why overflowing to this address would cause a program to become vulnerable.
Without seeing the exploit, it's probably the RET that is causing the damage. RET will return execution to the address of the top of the stack. Why not take a look at the stack and see where execution is going? If this is following the standard pattern, those two pops are just a way to "clean" some junk from the bottom of the stack, so the shellcode address can be accessed via the RET. The fact that data is being stored in EAX/ESI is usually kind of irrelevant. Of course that's just the simple way, there might be exception handling tricks in there too, but, again, I haven't looked at this exploit in particular. Cheers, ben
Current thread:
- MS05-039 A A (Sep 09)
- RE: MS05-039 Ben Nagy (Sep 12)
- Re: MS05-039 A A (Sep 13)
- Re: MS05-039 Bill Weiss (Sep 14)
- <Possible follow-ups>
- Re: MS05-039 A A (Sep 29)