[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Re: Remote buffer overflow in httpdx
From:       pankaj208 () gmail ! com
Date:       2009-10-10 2:58:51
Message-ID: 20091010025851.25105.qmail () securityfocus ! com
[Download RAW message or body]

The addr value used is required to reach the ret instruction. The value used \
0x63b8624f lies in idata segment of n.dll Note that in order to reach ret \
instruction, value at addr+0x0e0f should be non-zero for \
if(isset(client->serve.redirect)) to succeed  => 004069E1  CMP BYTE PTR \
DS:[EAX+0E0F],0 and
addr+0x0f24 should be writable for client->state = STATE_DONE to execute. => 00406AAF \
MOV DWORD PTR DS:[EAX+0F24],0

The other two addresses used are
ret1 = 0x64f8134b (pop ret in core.dll) to pop addr and return to ret2
ret2 = 0x7c874413 (jmp esp in kernel32.dll) to jump to shellcode following ret2.

Though I am able to get a shell, the retn/offsets used are not universal.

Thanks,
Pankaj


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic