Re: MS05-039

[Bill Weiss <houdini+vuln-dev () clanspum net>]

A A(hd78432 () yahoo com)@Fri, Sep 09, 2005 at 04:52:06AM -0700:
> The HOD exploit for ms05-39 has been tested on windows
> 2000 sp4.  Based upon the comments in the machine code
> for the rpc call I am assuming the return address for
> the  buffer overflow to be 0x767a1567.  Is this memory
> address the return address for the buffer overflow?
>
>   If it is the case that this address is the return
> address for the buffer overflow the code that it
> returns to looks something like this:
> "pop eax
>  pop esi
>  ret"
> Why would overflowing to an address that pops a value
> into the eax register cause this program to become
> vulnerable?  I don't see why overflowing to this
> address would cause a program to become vulnerable.  

"pop/pop/ret" is an indicator of a SEH overflow.  In a exception handler,
8 bytes below TOS is the address of the "exception frame".  This is code
we have already overwritten.  Thus, pop/pop/ret lets us jump into our
code without knowing where on the stack it is.

You can ignore where the pops are putting their data, since it doesn't
matter for this.  As long as they aren't popping into esp (or ebp, maybe)
it won't matter.

SEH is a reliability technique in Windows exploits.  Because we are
exploiting an address given to us to find our code, the exploit can be
much more reliable between running copies of the program.

-- 
Bill Weiss