Vulnerability Development mailing list archives
Re: MS05-039
From: Bill Weiss <houdini+vuln-dev () clanspum net>
Date: Tue, 13 Sep 2005 20:39:08 +0000
A A(hd78432 () yahoo com)@Fri, Sep 09, 2005 at 04:52:06AM -0700:
The HOD exploit for ms05-39 has been tested on windows 2000 sp4. Based upon the comments in the machine code for the rpc call I am assuming the return address for the buffer overflow to be 0x767a1567. Is this memory address the return address for the buffer overflow? If it is the case that this address is the return address for the buffer overflow the code that it returns to looks something like this: "pop eax pop esi ret" Why would overflowing to an address that pops a value into the eax register cause this program to become vulnerable? I don't see why overflowing to this address would cause a program to become vulnerable.
"pop/pop/ret" is an indicator of a SEH overflow. In a exception handler, 8 bytes below TOS is the address of the "exception frame". This is code we have already overwritten. Thus, pop/pop/ret lets us jump into our code without knowing where on the stack it is. You can ignore where the pops are putting their data, since it doesn't matter for this. As long as they aren't popping into esp (or ebp, maybe) it won't matter. SEH is a reliability technique in Windows exploits. Because we are exploiting an address given to us to find our code, the exploit can be much more reliable between running copies of the program. -- Bill Weiss
Current thread:
- MS05-039 A A (Sep 09)
- RE: MS05-039 Ben Nagy (Sep 12)
- Re: MS05-039 A A (Sep 13)
- Re: MS05-039 Bill Weiss (Sep 14)
- <Possible follow-ups>
- Re: MS05-039 A A (Sep 29)