lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20091010025851.25105.qmail@securityfocus.com>
Date: 10 Oct 2009 02:58:51 -0000
From: pankaj208@...il.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: Remote buffer overflow in httpdx

The addr value used is required to reach the ret instruction. The value used 0x63b8624f lies in idata segment of n.dll
Note that in order to reach ret instruction,
value at addr+0x0e0f should be non-zero for if(isset(client->serve.redirect)) to succeed  => 004069E1  CMP BYTE PTR DS:[EAX+0E0F],0
and
addr+0x0f24 should be writable for client->state = STATE_DONE to execute. => 00406AAF  MOV DWORD PTR DS:[EAX+0F24],0

The other two addresses used are
ret1 = 0x64f8134b (pop ret in core.dll) to pop addr and return to ret2
ret2 = 0x7c874413 (jmp esp in kernel32.dll) to jump to shellcode following ret2.

Though I am able to get a shell, the retn/offsets used are not universal.

Thanks,
Pankaj

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ