Hosting Provided By

Re: ColdFusion Heap Overflow

From: Dave Aitel <dave(at)immunitysec.com>
Date: Thu Nov 14 2002 - 12:06:41 EST

Overwriting the exception pointers on the stack is crazy talk. The stack moves all around, and you'd never get the right one. However, there is a global exception pointer as well, which is used if it is set. Check out DDK-IIS.c and see the values they have for that, and try overwriting it. It actually works better if you do it without debugging the program, in my experience.

Most people exploit heap overflows by overwriting that global exception handler pointer thingy (yes, this is what it is technically called) and then pointing the program's eip into the heap, where they've stuffed half a gig of nops and some crappy SP dependant win32 shellcode.

-dave

On Thu, 14 Nov 2002 11:31:10 -0000
"Gary O'leary-Steele" <garyo@sec-1.com> wrote:

> Hi all,
Received on Thu Nov 14 12:59:15 2002

This message: [ Message body ]
Next message: c jones: "shell script cgi"
In reply to Gary O'leary-Steele: "ColdFusion Heap Overflow"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:37 EDT