lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 16 Oct 2009 07:42:21 -0700
From: Freddie Vicious <fred.vicious@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Remote buffer overflow in httpdx

Just saw this on Twitter, an MSF exploit published:
http://www.rec-sec.com/2009/10/16/httpdx-buffer-overflow-exploit/

On Fri, Oct 9, 2009 at 7:58 PM, <pankaj208@...il.com> wrote:

> The addr value used is required to reach the ret instruction. The value
> used 0x63b8624f lies in idata segment of n.dll
> Note that in order to reach ret instruction,
> value at addr+0x0e0f should be non-zero for
> if(isset(client->serve.redirect)) to succeed  => 004069E1  CMP BYTE PTR
> DS:[EAX+0E0F],0
> and
> addr+0x0f24 should be writable for client->state = STATE_DONE to execute.
> => 00406AAF  MOV DWORD PTR DS:[EAX+0F24],0
>
> The other two addresses used are
> ret1 = 0x64f8134b (pop ret in core.dll) to pop addr and return to ret2
> ret2 = 0x7c874413 (jmp esp in kernel32.dll) to jump to shellcode following
> ret2.
>
> Though I am able to get a shell, the retn/offsets used are not universal.
>
> Thanks,
> Pankaj
>



-- 
Best wishes,
Freddie Vicious
http://twitter.com/viciousf

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists