|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] Exploitation of EIP with only ASCII
From: H D Moore (hdm-daily-dave
digitaloffense.net)
Date: Sun Mar 19 2006 - 16:57:41 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The process I tend to use:
1) Dump the process's address space with memdump.exe (framework/tools),
then use msfpescan -d <directory created by memdump> with -s/-j/-x to
find a valid return address. Write a filtering script or just hack up
msfpescan to only display addresses that match your allowed character
set.
2) Try to perform a partial overwrite of the return address/SEH ptr and
see if I can changed the LSB's to point to an interesting opcode in
the .text section of the calling function (or wherever the SEH happened
to be). If the string is null-terminated for you by the application
(often the case), this gives you access to 0x00XXYYZZ which gives you
even more options for your return.
Goodluck!
-hD
On Sunday 19 March 2006 15:08, CIRT.DK Mailinglists wrote:
> Hey there
>
> I have a question, does any of you have ideas on how to exploit a
> buffer overflow where the EIP is controlled, but the only valid
> characters for the part where the EIP are located on the stack are A-Z
> uppercase and nothing else.
>
> In the same bug the SEH are also controlled, but also the only valid
> characters are uppercase A-Z (x41-x5A)
>
> I've tried to see if I could find a valid JMP, JE, JNE CALL EBX but so
> far no luck.
>
> Any Ideas
>
> Regards
> Dennis Rand
> CIRT.DK
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]