Vulnerability Development mailing list archives
Help developing an exploit
From: "Webster Orkin" <webster.orkin () gmail com>
Date: Sat, 28 Apr 2007 21:46:08 -0400
Hi List, I discovered a buffer overflow in a networked application that my company uses. I plan to notify the company that writes the program, but I'd like to develop sample exploit code before I do so they'll take it more seriously. I've never written exploit code, but I do have experience with coding, network security, etc. In the past couple of weeks I've been looking at a lot of exploit code, reading up on metasploit, and working with Windbg. Basically, their program listens on a TCP port for a connection that sends a username/password in an XML message. They don't bounds-check either username (overflows after 45 chars) or password (overflows after 23 chars). Playing with larger inputs, I am able to get a payload sent, and can get values into EAX, EDX, and EIP at various points. The problem I've been having is that my payload ends up at address 0x0012E6B4 and if I try to get that address into EIP, my entire message is rejected for containing an x00 character. Here's what I've found about what I can send: (23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into EDX->EIP)(up to 4500 bytes) Clearly that last block would be a great place for a payload, but I just can't seem to get EIP to what I want. Here are the last three lines of the program disassembly: mov edx,dword ptr [eax] push eax call dword ptr [edx+8] That last line is where the debugger keeps stopping because since I haven't been able to put in the address I want (0012...), I've been using invalid memory addresses as space hoders (\xb4\xe6\x12\xcc). I'm not sure if anyone can help, but it feels like I'm very close. I can also send along my current metasploit ruby file if that would help. If anyone has any suggestions, I'd greatly appreciate it. Thanks, -Webster
Current thread:
- Help developing an exploit Webster Orkin (Apr 29)
- Re: Help developing an exploit Felix Lindner (Apr 30)
- RE: Help developing an exploit Sol Z List (Apr 30)
- <Possible follow-ups>
- Re: Help developing an exploit Claudio Broglia (Apr 30)