Vulnerability Development mailing list archives
Re: Help developing an exploit
From: Felix Lindner <fx () sabre-labs com>
Date: Mon, 30 Apr 2007 12:17:06 +0200
Hi, On Sat, 28 Apr 2007 21:46:08 -0400 "Webster Orkin" <webster.orkin () gmail com> wrote:
The problem I've been having is that my payload ends up at address 0x0012E6B4 and if I try to get that address into EIP, my entire message is rejected for containing an x00 character. Here's what I've found about what I can send: (23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into EDX->EIP)(up to 4500 bytes)
from the address, it looks like your buffer is on the stack. Please ignore the rest of this posting if that's not the case. The obvious solution would be to look for a byte sequence 0xFFE4 (jmp esp) or similar in memory mapped at addresses without 0x00 or other forbidden characters in them. Since you say XML, I assume 0x3c, 0x2f and 0x3e wouldn't be appreciated either. Once you find such an address, let EDX->EIP point there, so execution will return to the stack. You may try OllyDbg and http://www.phenoelit.de/win/OllyUni_0.10.zip for finding specific byte sequences that may help you getting your code executed. HIHAL, FX -- SABRE Labs GmbH | Felix 'FX' Lindner <fx () sabre-labs com> http://www.sabre-labs.com | GSM: +49 171 7402062 Wrangelstrasse 4 | PGP: A740 DE51 9891 19DF 0D05 10997 Berlin, Germany | 13B3 1759 C388 C92D 6BBB HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner
Current thread:
- Help developing an exploit Webster Orkin (Apr 29)
- Re: Help developing an exploit Felix Lindner (Apr 30)
- RE: Help developing an exploit Sol Z List (Apr 30)
- <Possible follow-ups>
- Re: Help developing an exploit Claudio Broglia (Apr 30)