RE: MS05-039

["Ben Nagy" <ben () iagu net>]

> -----Original Message-----
> From: A A [mailto:hd78432 () yahoo com] 
> Sent: Friday, September 09, 2005 6:52 PM
> To: vuln-dev () securityfocus com
> Subject: MS05-039
>
> The HOD exploit for ms05-39 has been tested on windows
> 2000 sp4.  Based upon the comments in the machine code
> for the rpc call I am assuming the return address for
> the  buffer overflow to be 0x767a1567.  Is this memory
> address the return address for the buffer overflow?
>
>   If it is the case that this address is the return
> address for the buffer overflow the code that it
> returns to looks something like this:
> "pop eax
>  pop esi
>  ret"
> Why would overflowing to an address that pops a value
> into the eax register cause this program to become
> vulnerable?  I don't see why overflowing to this
> address would cause a program to become vulnerable.  

Without seeing the exploit, it's probably the RET that is causing the
damage. RET will return execution to the address of the top of the stack.
Why not take a look at the stack and see where execution is going? If this
is following the standard pattern, those two pops are just a way to "clean"
some junk from the bottom of the stack, so the shellcode address can be
accessed via the RET. The fact that data is being stored in EAX/ESI is
usually kind of irrelevant.

Of course that's just the simple way, there might be exception handling
tricks in there too, but, again, I haven't looked at this exploit in
particular.

Cheers,

ben