[prev in list] [next in list] [prev in thread] [next in thread] 

List:       darklab
Subject:    Re: [DARKLAB] SP2 software DEP in action ?
From:       Guy Incognito <guyincognito2 () bk ! ru>
Date:       2004-10-25 7:25:02
Message-ID: 1835354994.20041025092502 () bk ! ru
[Download RAW message or body]

hi,

Sunday, October 24, 2004, 8:55:05 PM, you wrote:

        yes i had the same problem.
        at my exploit
        http://www.cnhonker.com/index.php?module=exploits&act=view&type=9&id=655

        but after using tons of POP RET POP RET RET addresses, i found
        one
        /* SYNCOR11.DLL XP sp2 full patched english version
        6BD01395    5E              POP ESI
        6BD01396    33C0            XOR EAX,EAX
        6BD01398    5D              POP EBP
        6BD01399    C2 0800         RETN 8
        */

        but why this addr worked i don't know ?
        i also coded more exploits which overwrite seh , on my sp2
        system and all worked well but this ftp server maked problems.

best regards ,
     Delikon


        

mn> Hi there :)

mn> I'm inspecting a buffer overflow within a webserver under WinXP SP2...
mn> There are the following conditions:

mn> - Most pages are set to NX - even the ntdll.dll & kernel32.dll stuff.
mn> - Executable Memory Regions remain in address space starting with 00.
mn> - i can overflow the stack...
mn> - most exception record values i replace don't work be called.

mn> When I read about SP2, I can read about 2 points:

mn> - some people wonder why they can not exploit using the seh handler method
mn> - some people say "software dep isn't strong when code is not compiled
mn> with Safe SEH ", "Non system binarys are still exploitable" & stuff
mn> (disinformation ?) like that.

mn> I don't know if the executable is compiled with SAFE SEH - i expect it
mn> isn't.

mn> I tried to point SEH record to the stack -> won't work, i get an exception
mn> loop.

mn> I tried to point SEH into a region called "MAP" within Olly. Works - but
mn> there is just not the code I need. (and even if it would - the memory
mn> content is different in every installation...)

mn> I tried to point SEH into an umapped memory region -> works.

mn> I tried to pont SEH to winsock32.dll address space (random address) ->
mn> works, but processors switches to single stepping mode.

mn> I tried to not trigger the SEH and use the RET ADDR overwrite method. Than
mn> I found out that all the RET addresses on the stack can't be overflowed.
mn> They are below the buffer (means: addresses with minor/smaller value).
mn> Exception: In Ollys call stack, the ferst "function" the EIP dives in is
mn> not described as: "call to function()...." like olly call stack describes
mn> it usually, but olly says "module_xxx includes main()..."
mn> I can overflow that return address of that include - but i don't know how
mn> to return.

mn> pressing strg+c to exit the application just exits the application  and
mn> after all I know - the application can't be stopped another way.

mn> What I'm asking myself: Is it the application itself that makes
mn> exploitation harder / impossible - or is it SP2 ?

mn> here's the link to download the webserver:
mn> http://people.freenet.de/TheKings/down/webby.zip

mn> here's the page of the coder:
mn> http://www.ccpp.de.ms/progs/webby.html

mn> Maybe somebody on the list is courious, too... :)
mn> sorry I haven't mentioned more details - my sister is using the main
mn> Computer, where all the notices about this are saved... I'm not allowed to
mn> disturb her =D

mn> So, see for yourself and good night =)

mn> greetz,
mn> Ole

mn> P.S.:
mn> I forgot to mention that the buffer overflow occurs when you 
mn> GET /filename.htmabout820charsAAAAAAAAAAA...








-- 
Best regards,
 Guy                            mailto:guyincognito2@bk.ru

-
The DarkLab.org mailing list.  http://www.darklab.org
[prev in list] [next in list] [prev in thread] [next in thread]