RE: POC Heap based buffer overflow

This looks very similar to the latest WebDav vuln: 32k buffer (or 64k), overwriting ECX, inconsistent return addresses... What are you trying to exploit? Is it an UNICODE overflow? Sometimes all you get is a DoS exploit...or brute force a reverse shell (like the latest WebDav).

-----Original Message-----
From: Aaron C. Newman (Application Security, Inc.) [mailto:anewman@appsecinc.com]
Sent: Friday, April 11, 2003 3:16 PM
To: vuln-dev@securityfocus.com

I am developing a POC exploit for an exist buffer overflow.

In the buffer overflow, I can write up to 32000 bytes of memory (it allows my to write all noops - 0x90 - and I can embed payload anywhere in those bytes). It is overwritten in several places, however it is never consistently in the same place. I can get the payload to overwrite a value that is loaded into ecx and then ecx is executed. So I am able to change the direction of execution to any hard-coded address I want. However I can not consistently change it to my attack code because the payload is loaded to different places in memory each time.

The payload is not written directly to ESP or EBP so I can not simply call somewhere in the program where there is a "call esp" or "jmp esp". One of the areas overwritten does seem to be consistently written to ESP + 0x1D00 or EBP + 0x1D10 so I was hoping to find someplace in code where it executes:
add esp, 0x1D00
jmp esp

and other variations but have not had luck finding a useful match.

I could try brute forcing, but the overflow crashes the program so that is not very practical, particularly for demos.

Anyone have any ideas of how to use and address that can consistently find my attack code.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Regards,
Aaron Received on Sat Apr 12 10:53:07 2003