Re: Help developing an exploit

[Felix Lindner <fx () sabre-labs com>]

Hi,

On Sat, 28 Apr 2007 21:46:08 -0400
"Webster Orkin" <webster.orkin () gmail com> wrote:
> The problem I've been
> having is that my payload ends up at address 0x0012E6B4 and if I try
> to get that address into EIP, my entire message is rejected for
> containing an x00 character.  Here's what I've found about what I can
> send:
>
> (23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into
> EDX->EIP)(up to 4500 bytes)

from the address, it looks like your buffer is on the stack. Please ignore the
rest of this posting if that's not the case.
The obvious solution would be to look for a byte sequence 0xFFE4 (jmp esp) or
similar in memory mapped at addresses without 0x00 or other forbidden
characters in them. Since you say XML, I assume 0x3c, 0x2f and 0x3e wouldn't
be appreciated either. Once you find such an address, let EDX->EIP point
there, so execution will return to the stack.
You may try OllyDbg and http://www.phenoelit.de/win/OllyUni_0.10.zip for
finding specific byte sequences that may help you getting your code executed.

HIHAL,
FX

-- 
SABRE Labs GmbH            | Felix 'FX' Lindner <fx () sabre-labs com> 
http://www.sabre-labs.com  | GSM: +49 171 7402062
Wrangelstrasse 4           | PGP: A740 DE51 9891 19DF 0D05  
10997 Berlin, Germany      |      13B3 1759 C388 C92D 6BBB
HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner