|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Fwd: [Dailydave] RE: We have the enemy, and the enemy is... you
From: Dave Korn (dave.korn
artimi.com)
Date: Fri Apr 14 2006 - 09:41:51 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 14 April 2006 04:20, H D Moore wrote:
> interesting - you end up overwriting two local variables which happen to
> be the source and destination pointers for an inlined memcpy. If you can
> make it past the memcpy, the app will return to your address of choice.
> There are no SEH frames on the stack, so you have to pass the copy before
> being able to abuse the return address overwrite.
>
> At this point, you have quite a few options:
Heh, ret-2-memcpy sploits are fun! So many possibilities!
> Since I had already wasted too much time with this bug, I chose the last
> option and used a 'jmp esp' in DLClient.dll (after using a src/dst
> pointer from DLClient.dll's data to pass the memcpy). The result is
> reliable execution of at least 500 bytes of payload. The only annoying
> part is making the payload pass through tolower() :-)
Another annoying part can be finding both a source address, and a destination address, AND sometimes a return address that all have no zeros in them! (I once spent quite some time struggling against this in a sploit.... never did get it in the end)
cheers,
DaveK
--
Can't think of a witty .sigline today....
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]