Vulnerability Development mailing list archives
RE: Help developing an exploit
From: "Sol Z List" <RaMatkal () hotmail com>
Date: Mon, 30 Apr 2007 10:21:20 +0200
Genereally, when exploiting windows apps the idea isn't to overflow EIP with the address of your shellcode (if its on the stack) because as you said the address contains NULL characters... After you overflow the stack do any of the registers point anywhere near your shellcode? Then all you need to do is overflow EIP with the address of a JMP (reg) in the processes address space. Ie suppose EBX points to your shellcode, then you would overflow EIP with the address of a JMP EBX or CALL EBX etc... these addresses can be found manually or using metasploit opcode database.. Hope that was clear... -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Webster Orkin Sent: Sunday, April 29, 2007 3:46 AM To: vuln-dev () securityfocus com Subject: Help developing an exploit Hi List, I discovered a buffer overflow in a networked application that my company uses. I plan to notify the company that writes the program, but I'd like to develop sample exploit code before I do so they'll take it more seriously. I've never written exploit code, but I do have experience with coding, network security, etc. In the past couple of weeks I've been looking at a lot of exploit code, reading up on metasploit, and working with Windbg. Basically, their program listens on a TCP port for a connection that sends a username/password in an XML message. They don't bounds-check either username (overflows after 45 chars) or password (overflows after 23 chars). Playing with larger inputs, I am able to get a payload sent, and can get values into EAX, EDX, and EIP at various points. The problem I've been having is that my payload ends up at address 0x0012E6B4 and if I try to get that address into EIP, my entire message is rejected for containing an x00 character. Here's what I've found about what I can send: (23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into EDX->EIP)(up to 4500 bytes) Clearly that last block would be a great place for a payload, but I just can't seem to get EIP to what I want. Here are the last three lines of the program disassembly: mov edx,dword ptr [eax] push eax call dword ptr [edx+8] That last line is where the debugger keeps stopping because since I haven't been able to put in the address I want (0012...), I've been using invalid memory addresses as space hoders (\xb4\xe6\x12\xcc). I'm not sure if anyone can help, but it feels like I'm very close. I can also send along my current metasploit ruby file if that would help. If anyone has any suggestions, I'd greatly appreciate it. Thanks, -Webster
Current thread:
- Help developing an exploit Webster Orkin (Apr 29)
- Re: Help developing an exploit Felix Lindner (Apr 30)
- RE: Help developing an exploit Sol Z List (Apr 30)
- <Possible follow-ups>
- Re: Help developing an exploit Claudio Broglia (Apr 30)