[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fuzzing
Subject:    [fuzzing] Heap based overflow Problem--Help
From:       ahmadtauqeer () yahoo ! com (Tauqeer Ahmad)
Date:       2006-05-07 9:52:03
Message-ID: 20060507095203.73824.qmail () web38612 ! mail ! mud ! yahoo ! com
[Download RAW message or body]

  Hi all,
   
  I am exploiting a heap-based buffer overflow in one of the ftp server on window \
2000 advanced server with no SP. The problem that I face is that when using \
UEF(unhandled exception filter) method it doesn?t work. The following is the data:  
  EAX  ?  77E4FB7A -----  Address of CALL DWORD PTR [ESI + 4C]
  ECX  ?  77EE044C  -----  pointer to UnhandeledExceptionFilter
   
  When program executes the following instruction what happens is explained beside \
the instruction:  
  MOV DWORD PTR DS:[ECX], EAX -----THIS IS OK ADDRESS IS COPIED AT UEF
  MOV DWORD PTR DS:[EAX+4], ECX --- THIS ACCESS VIOLATES
   
  The reason it access violates is that [EAX + 4] is pointing to code segment which \
is readable. When it?s trying to write at it the program crashes.  
  What I want to ask is that where I am going wrong. Every thing seems to be right \
but logic says that it must crash at MOV DWORD PTR DS:[EAX+4], ECX. What I am getting \
from all this is that I am missing the UEF (However, it is unlikely since I have \
disassembled the SetUnhandledExceptionFilter function and get the address from there) \
because when the instruction access violated UEF should have been executed and \
control should have been transferred to CALL DWORD PTR [ESI + 4C]. Please correct me \
if I am wrong or if I am using the wrong method on wrong OS. Furthermore, when I run \
the server without debugger and exploit it the EAX and ECX ends up some where else. I \
mean to say that provided data don?t get copied on the registers. Advance thanks for \
the help.  
  Regards,
   
  Tauqeer Ahmad
   
   



		
---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.whitestar.linuxbox.org/pipermail/fuzzing/attachments/20060507/550ce255/attachment.htm \



[prev in list] [next in list] [prev in thread] [next in thread]