ColdFusion Heap Overflow -continued

Hi all,

I am attempting to write exploit code for the coldfusion heap overflow (still).

On advice from various on the secfocus list i have installed softice and located the exception handler in question.

The handler code starts at

0x77f82b95

The code I am trying to manipulate is at

0x77f8e43b	Mov ecx, [ebp+0x18]
0x77f8e43e	call ecx

where ebp changes each time the exception is called

I can control the following values within the following instruction,

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

mov [ecx] , eax

where ecx and eax can be any value I specify. The problem (or my lack of understanding) is that the stack frame is set-up when the exception is handled and i can't seem to write to [ebp+0x18] due to the fact it changes etc (stop me if i'm wrong)

attempting to overwrite the instruction (sorry if this is a basic can't do) with mov [ecx],eax where ecx = 0x77f8e43b and eax =0x41414141 doesn't seem to do anything ?

Any help or pointers are greatly appreciated.

Thanks in advance.

Kind Regards
Gary
Sec-1 Received on Sun Nov 17 01:16:23 2002