[prev in list] [next in list] [prev in thread] [next in thread]
List: fuzzing
Subject: [fuzzing] Heap based overflow Problem--Help
From: ahmadtauqeer () yahoo ! com (Tauqeer Ahmad)
Date: 2006-05-07 9:52:03
Message-ID: 20060507095203.73824.qmail () web38612 ! mail ! mud ! yahoo ! com
[Download RAW message or body]
Hi all,
I am exploiting a heap-based buffer overflow in one of the ftp server on window \
2000 advanced server with no SP. The problem that I face is that when using \
UEF(unhandled exception filter) method it doesn?t work. The following is the data:
EAX ? 77E4FB7A ----- Address of CALL DWORD PTR [ESI + 4C]
ECX ? 77EE044C ----- pointer to UnhandeledExceptionFilter
When program executes the following instruction what happens is explained beside \
the instruction:
MOV DWORD PTR DS:[ECX], EAX -----THIS IS OK ADDRESS IS COPIED AT UEF
MOV DWORD PTR DS:[EAX+4], ECX --- THIS ACCESS VIOLATES
The reason it access violates is that [EAX + 4] is pointing to code segment which \
is readable. When it?s trying to write at it the program crashes.
What I want to ask is that where I am going wrong. Every thing seems to be right \
but logic says that it must crash at MOV DWORD PTR DS:[EAX+4], ECX. What I am getting \
from all this is that I am missing the UEF (However, it is unlikely since I have \
disassembled the SetUnhandledExceptionFilter function and get the address from there) \
because when the instruction access violated UEF should have been executed and \
control should have been transferred to CALL DWORD PTR [ESI + 4C]. Please correct me \
if I am wrong or if I am using the wrong method on wrong OS. Furthermore, when I run \
the server without debugger and exploit it the EAX and ECX ends up some where else. I \
mean to say that provided data don?t get copied on the registers. Advance thanks for \
the help.
Regards,
Tauqeer Ahmad
---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.whitestar.linuxbox.org/pipermail/fuzzing/attachments/20060507/550ce255/attachment.htm \
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic