RE: Help developing an exploit

["Sol Z List" <RaMatkal () hotmail com>]

Genereally, when exploiting windows apps the idea isn't to overflow EIP with
the address of your shellcode (if its on the stack) because as you said the
address contains NULL characters... 

After you overflow the stack do any of the registers point anywhere near
your shellcode? Then all you need to do is overflow EIP with the address of
a JMP (reg) in the processes address space. Ie suppose EBX points to your
shellcode, then you would overflow EIP with the address of a JMP EBX or CALL
EBX etc... these addresses can be found manually or using metasploit opcode
database..

Hope that was clear...  

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Webster Orkin
Sent: Sunday, April 29, 2007 3:46 AM
To: vuln-dev () securityfocus com
Subject: Help developing an exploit

Hi List,

I discovered a buffer overflow in a networked application that my
company uses.  I plan to notify the company that writes the program,
but I'd like to develop sample exploit code before I do so they'll
take it more seriously.  I've never written exploit code, but I do
have experience with coding, network security, etc.  In the past
couple of weeks I've been looking at a lot of exploit code, reading up
on metasploit, and working with Windbg.  Basically, their program
listens on a TCP port for a connection that sends a username/password
in an XML message.  They don't bounds-check either username (overflows
after 45 chars) or password (overflows after 23 chars).  Playing with
larger inputs, I am able to get a payload sent, and can get values
into EAX, EDX, and EIP at various points.  The problem I've been
having is that my payload ends up at address 0x0012E6B4 and if I try
to get that address into EIP, my entire message is rejected for
containing an x00 character.  Here's what I've found about what I can
send:

(23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into
EDX->EIP)(up to 4500 bytes)

Clearly that last block would be a great place for a payload, but I
just can't seem to get EIP to what I want.  Here are the last three
lines of the program disassembly:
mov     edx,dword ptr [eax]
push    eax
call    dword ptr [edx+8]

That last line is where the debugger keeps stopping because since I
haven't been able to put in the address I want (0012...), I've been
using invalid memory addresses as space hoders (\xb4\xe6\x12\xcc).

I'm not sure if anyone can help, but it feels like I'm very close.  I
can also send along my current metasploit ruby file if that would
help.  If anyone has any suggestions, I'd greatly appreciate it.

Thanks,

-Webster