Hi all,

I am attempting to write exploit code for the coldfusion heap overflow
(still).

On advice from various on the secfocus list i have installed softice and
located the exception handler in question.

The handler code starts at

0x77f82b95

The code I am trying to manipulate is at

0x77f8e43b Mov ecx, [ebp+0x18]
0x77f8e43e call ecx

where ebp changes each time the exception is called

I can control the following values within the following instruction,

mov [ecx] , eax

where ecx and eax can be any value I specify. The problem (or my lack of
understanding) is that the stack frame is set-up when the exception is
handled and i can't seem to write to [ebp+0x18] due to the fact it changes
etc (stop me if i'm wrong)

attempting to overwrite the instruction (sorry if this is a basic can't do)
with mov [ecx],eax where ecx = 0x77f8e43b and eax =0x41414141 doesn't seem
to do anything ?

Any help or pointers are greatly appreciated.

Thanks in advance.

Kind Regards
Gary
Sec-1

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]