Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Heap overflow problem----Help

From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Sun, 07 May 2006 12:30:00 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
if I remember you need to setup back the UEF to its previous state, look
it previous state and add a small line of assembly at start of your
shellcode wich will mod back the UEF.

Tauqeer Ahmad wrote:

Hi all

I am exploiting a heap-based buffer overflow in one of the ftp server

on window 2000 advanced server with no SP. The problem that I face is
that when using UEF(unhandled exception filter) method it doesn?t work.
The following is the data:


EAX  à  77E4FB7A -----  Address of CALL DWORD PTR [ESI + 4C]
ECX  à  77EE044C  -----  pointer to UnhandeledExceptionFilter

When program executes the following instruction what happens is

explained beside the instruction:


MOV DWORD PTR DS:[ECX], EAX -----THIS IS OK ADDRESS IS COPIED AT UEF
MOV DWORD PTR DS:[EAX+4], ECX --- THIS ACCESS VIOLATES

The reason it access violates is that [EAX + 4] is pointing to code

segment which is readable. When it?s trying to write at it the program
crashes.


What I want to ask is that where am i going wrong? Every thing seems to

be right but logic says that it must crash at MOV DWORD PTR DS:[EAX+4],
ECX. What I am getting from all this is that I am missing the
UEF(However it is unlikely since i have disassembled
SetUnhandledExceptionFilter function and got the address from there)
because when the instruction access violated UEF should have been
executed and control should have been transferred to CALL DWORD PTR [ESI
+ 4C]. Please correct me if I am wrong or if I am using the wrong method
on wrong OS. Furthermore, when I run the server without debugger and
exploit it the EAX and ECX ends up some where else. I mean to say that
provided data don?t get copied on the registers. Advance thanks for the
help.


Regards,

Tauqeer Ahmad






__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com


-------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)
 
iD8DBQFEXcwoFJS99fNfR+YRAgFoAKCdk0LbA2WEtEs6Qn44UX4y1iffBACgrlGa
JsVqp9uRa7pBQaj81LFu63g=
=DC0E
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: