Re: exploit for W98 long filenameextensions buffer overflow

[bfh_second () GMX DE (Benjamin H.)]

Hallo,

the "jmp sp" in Laurent Eschenauer's exploit at BFB9AD77 seems not to
be static, as it doesn't work on my installation of win98/SE [german].

Here's the result of his exploit on my box:

EXPLORER verursachte einen Fehler durch eine ungültige Seite
in Modul <Unbekannt> bei 0000:bfb9ad77.
Register:
EAX=50505050 CS=0167 EIP=bfb9ad77 EFLGS=00010202
EBX=80070032 SS=016f ESP=00c2d8fc EBP=60606060
ECX=00c2fda4 DS=016f ESI=00460234 FS=38af
EDX=c1572eb0 ES=016f EDI=7fcbd320 GS=0000
Bytes bei CS:EIP:

Stapelwerte:
43427044 43cccccc 43427244 43427344
43427444 43427544 43427644 43427744
43427844 43427944 44436144 44436245
44436345 44436445 44436545 44436645

As EIP still points to BFB9AD77, I think there was no code executed.
Also the three CC (int 3) are not at the beginning of the stack, where
I think they should be, according to L.E.'s code (or am I misinterpreting
the error message?).

There's one interesting thing on my machine:
The low word of ESP is always D8FC (even after several reboots and
starting other
programs). Might this help somehow?

Does anyone know, how to get the EIP pointing to the stack ??
Or might there be a way to execute code that's in EBP (as we control it,
too);
something like "mov [ebx], ebp ; jmp ebx" ?

I think, I've got some code written, but I can't test it, as I doesn't get
the "jmp sp" thing working.

I hope somebody out there has a solution or knows at least a tool for
finding
static code (perhaps in the kernel?).

Thanks in advance,

Benjamin Hummel

--
Sent through GMX FreeMail - http://www.gmx.net