lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun May  7 10:52:33 2006
From: ahmadtauqeer at yahoo.com (Tauqeer Ahmad)
Subject: Heap based overflow Problem--Help

  Hi all,
   
  I am exploiting a heap-based buffer overflow in one of the ftp server on window 2000 advanced server with no SP. The problem that I face is that when using UEF(unhandled exception filter) method it doesn?t work. The following is the data:
   
  EAX  ?  77E4FB7A -----  Address of CALL DWORD PTR [ESI + 4C]
  ECX  ?  77EE044C  -----  pointer to UnhandeledExceptionFilter
   
  When program executes the following instruction what happens is explained beside the instruction:
   
  MOV DWORD PTR DS:[ECX], EAX -----THIS IS OK ADDRESS IS COPIED AT UEF
  MOV DWORD PTR DS:[EAX+4], ECX --- THIS ACCESS VIOLATES
   
  The reason it access violates is that [EAX + 4] is pointing to code segment which is readable. When it?s trying to write at it the program crashes.
   
  What I want to ask is that where I am going wrong. Every thing seems to be right but logic says that it must crash at MOV DWORD PTR DS:[EAX+4], ECX. What I am getting from all this is that I am missing the UEF (However, it is unlikely since I have disassembled the SetUnhandledExceptionFilter function and get the address from there) because when the instruction access violated UEF should have been executed and control should have been transferred to CALL DWORD PTR [ESI + 4C]. Please correct me if I am wrong or if I am using the wrong method on wrong OS. Furthermore, when I run the server without debugger and exploit it the EAX and ECX ends up some where else. I mean to say that provided data don?t get copied on the registers. Advance thanks for the help.
   
  Regards,
   
  Tauqeer Ahmad
   
   



		
---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060507/550ce255/attachment.html

Powered by blists - more mailing lists