[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: Re: Remote buffer overflow in httpdx
From: pankaj208 () gmail ! com
Date: 2009-10-10 2:58:51
Message-ID: 20091010025851.25105.qmail () securityfocus ! com
[Download RAW message or body]
The addr value used is required to reach the ret instruction. The value used \
0x63b8624f lies in idata segment of n.dll Note that in order to reach ret \
instruction, value at addr+0x0e0f should be non-zero for \
if(isset(client->serve.redirect)) to succeed => 004069E1 CMP BYTE PTR \
DS:[EAX+0E0F],0 and
addr+0x0f24 should be writable for client->state = STATE_DONE to execute. => 00406AAF \
MOV DWORD PTR DS:[EAX+0F24],0
The other two addresses used are
ret1 = 0x64f8134b (pop ret in core.dll) to pop addr and return to ret2
ret2 = 0x7c874413 (jmp esp in kernel32.dll) to jump to shellcode following ret2.
Though I am able to get a shell, the retn/offsets used are not universal.
Thanks,
Pankaj
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic