[prev in list] [next in list] [prev in thread] [next in thread]
List: darklab
Subject: Re: [DARKLAB] SP2 software DEP in action ?
From: Guy Incognito <guyincognito2 () bk ! ru>
Date: 2004-10-25 7:25:02
Message-ID: 1835354994.20041025092502 () bk ! ru
[Download RAW message or body]
hi,
Sunday, October 24, 2004, 8:55:05 PM, you wrote:
yes i had the same problem.
at my exploit
http://www.cnhonker.com/index.php?module=exploits&act=view&type=9&id=655
but after using tons of POP RET POP RET RET addresses, i found
one
/* SYNCOR11.DLL XP sp2 full patched english version
6BD01395 5E POP ESI
6BD01396 33C0 XOR EAX,EAX
6BD01398 5D POP EBP
6BD01399 C2 0800 RETN 8
*/
but why this addr worked i don't know ?
i also coded more exploits which overwrite seh , on my sp2
system and all worked well but this ftp server maked problems.
best regards ,
Delikon
mn> Hi there :)
mn> I'm inspecting a buffer overflow within a webserver under WinXP SP2...
mn> There are the following conditions:
mn> - Most pages are set to NX - even the ntdll.dll & kernel32.dll stuff.
mn> - Executable Memory Regions remain in address space starting with 00.
mn> - i can overflow the stack...
mn> - most exception record values i replace don't work be called.
mn> When I read about SP2, I can read about 2 points:
mn> - some people wonder why they can not exploit using the seh handler method
mn> - some people say "software dep isn't strong when code is not compiled
mn> with Safe SEH ", "Non system binarys are still exploitable" & stuff
mn> (disinformation ?) like that.
mn> I don't know if the executable is compiled with SAFE SEH - i expect it
mn> isn't.
mn> I tried to point SEH record to the stack -> won't work, i get an exception
mn> loop.
mn> I tried to point SEH into a region called "MAP" within Olly. Works - but
mn> there is just not the code I need. (and even if it would - the memory
mn> content is different in every installation...)
mn> I tried to point SEH into an umapped memory region -> works.
mn> I tried to pont SEH to winsock32.dll address space (random address) ->
mn> works, but processors switches to single stepping mode.
mn> I tried to not trigger the SEH and use the RET ADDR overwrite method. Than
mn> I found out that all the RET addresses on the stack can't be overflowed.
mn> They are below the buffer (means: addresses with minor/smaller value).
mn> Exception: In Ollys call stack, the ferst "function" the EIP dives in is
mn> not described as: "call to function()...." like olly call stack describes
mn> it usually, but olly says "module_xxx includes main()..."
mn> I can overflow that return address of that include - but i don't know how
mn> to return.
mn> pressing strg+c to exit the application just exits the application and
mn> after all I know - the application can't be stopped another way.
mn> What I'm asking myself: Is it the application itself that makes
mn> exploitation harder / impossible - or is it SP2 ?
mn> here's the link to download the webserver:
mn> http://people.freenet.de/TheKings/down/webby.zip
mn> here's the page of the coder:
mn> http://www.ccpp.de.ms/progs/webby.html
mn> Maybe somebody on the list is courious, too... :)
mn> sorry I haven't mentioned more details - my sister is using the main
mn> Computer, where all the notices about this are saved... I'm not allowed to
mn> disturb her =D
mn> So, see for yourself and good night =)
mn> greetz,
mn> Ole
mn> P.S.:
mn> I forgot to mention that the buffer overflow occurs when you
mn> GET /filename.htmabout820charsAAAAAAAAAAA...
--
Best regards,
Guy mailto:guyincognito2@bk.ru
-
The DarkLab.org mailing list. http://www.darklab.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic