Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Gary O'leary-Steele (garyo_at_sec-1.com)
Date: Fri Nov 15 2002 - 11:26:50 CST
I am attempting to write exploit code for the coldfusion heap overflow
On advice from various on the secfocus list i have installed softice and
located the exception handler in question.
The handler code starts at
The code I am trying to manipulate is at
0x77f8e43b Mov ecx, [ebp+0x18]
0x77f8e43e call ecx
where ebp changes each time the exception is called
I can control the following values within the following instruction,
mov [ecx] , eax
where ecx and eax can be any value I specify. The problem (or my lack of
understanding) is that the stack frame is set-up when the exception is
handled and i can't seem to write to [ebp+0x18] due to the fact it changes
etc (stop me if i'm wrong)
attempting to overwrite the instruction (sorry if this is a basic can't do)
with mov [ecx],eax where ecx = 0x77f8e43b and eax =0x41414141 doesn't seem
to do anything ?
Any help or pointers are greatly appreciated.
Thanks in advance.