Vulnerability Development mailing list archives
Re: Help developing an exploit
From: Claudio Broglia <xeon () sysroot eu>
Date: Mon, 30 Apr 2007 11:24:46 +0200
Hi List,
Hi Webster,
I discovered a buffer overflow in a networked application ... ... The problem I've been having is that my payload ends up at address 0x0012E6B4 and if I try to get that address into EIP, my entire message is rejected for containing an x00 character. ... (23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into EDX->EIP)(up to 4500 bytes) ... Here are the last three lines of the program disassembly: mov edx,dword ptr [eax] push eax call dword ptr [edx+8] That last line is where the debugger keeps stopping because since I haven't been able to put in the address I want (0012...), I've been using invalid memory addresses as space hoders (\xb4\xe6\x12\xcc).
Just a summary: you would like to call your payload which is located at address 0x0012e6b4, but you say you can't use a \x00 character. But from the code snipper you've posted, the last call is a "call dword ptr [edx+8]" and not a "call edx+8". So from what I understand you have not to put in EDX 0x0012e6ac (0x0012e6b4-8), but just an address in the process address space which contains 0x0012e6b4 at the time of the call. This address obviously would not have a \x00 character in its address. To find it just breakpoint at that call and search for it in memory (remember to subtract 8 from its address before putting it in your shellcode).
Hope I've been helpful, let me know. bye -xeon
Current thread:
- Help developing an exploit Webster Orkin (Apr 29)
- Re: Help developing an exploit Felix Lindner (Apr 30)
- RE: Help developing an exploit Sol Z List (Apr 30)
- <Possible follow-ups>
- Re: Help developing an exploit Claudio Broglia (Apr 30)