Vulnerability Development mailing list archives
Re: MS05-039
From: A A <hd78432 () yahoo com>
Date: Tue, 13 Sep 2005 05:11:12 -0700 (PDT)
Can anyone tell me the name of the function or memory location where the vulnerability occurs (and in either the .exe or one of the .dlls)? I've been digging for this for a while. --- A A <hd78432 () yahoo com> wrote:
The HOD exploit for ms05-39 has been tested on windows 2000 sp4. Based upon the comments in the machine code for the rpc call I am assuming the return address for the buffer overflow to be 0x767a1567. Is this memory address the return address for the buffer overflow? If it is the case that this address is the return address for the buffer overflow the code that it returns to looks something like this: "pop eax pop esi ret" Why would overflowing to an address that pops a value into the eax register cause this program to become vulnerable? I don't see why overflowing to this address would cause a program to become vulnerable. Does anyone know what the machine code looks like exactly before the spot in the vulnerable program where this vulnerability occurs?
______________________________________________________
Click here to donate to the Hurricane Katrina relief effort. http://store.yahoo.com/redcross-donate3/
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Current thread:
- MS05-039 A A (Sep 09)
- RE: MS05-039 Ben Nagy (Sep 12)
- Re: MS05-039 A A (Sep 13)
- Re: MS05-039 Bill Weiss (Sep 14)
- <Possible follow-ups>
- Re: MS05-039 A A (Sep 29)