Bugtraq mailing list archives

RE: WebDav Exploit ffs

From: "Exurity Debugs" <exbugs () rogers com>
Date: Thu, 27 Mar 2003 17:02:53 -0500

I don't believe your shell code will work on other Kernel32.dll than the
version with the following ImageBase:
"\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..

Because your code is reversed as:

loc_8F:
    mov     eax, [esi]
    add     eax, ebp
    cmp     dword ptr [eax], 50746547h
    jnz     short loc_C0
    cmp     dword ptr [eax+4], 41636F72h
    jnz     short loc_C0
    cmp     dword ptr [eax+8], 65726464h
    jnz     short loc_C0
    mov     eax, [edi+24h]
    add     eax, ebp
    movzx   ebx, word ptr [eax+edx*2]
    mov     eax, [edi+1Ch]
    add     eax, ebp
    mov     ebx, [eax+ebx*4]
    add     ebx, ebp

        ; should jump to found
loc_C0:
    add     esi, 4
    inc     edx
    cmp     edx, [edi+18h]
    jnz     short loc_8F
        ; then reached all and could not find, so find another version
So, if the Kernel32.dll happens to be different than the default, it will
simply crash without going too far.
Best regards
Peter Huang
Jumpable, Callable & Overflowing XPoson, New Exploitation Technology on the
way

Current thread:

NetBSD Security Advisory 2003-008: faulty length checks in xdrmem_getbytes NetBSD Security Officer (Mar 26)
- RE: WebDav Exploit ffs Exurity Debugs (Mar 27)