RE: Exploiting new IE Object Type Overflow

IE version:6.0.2800.1106

I too seem unable to replicate the overflow in a way described in the eEye advisory, but there's always more than one way to skin a cat.

<object type="[/x64]AAAAAAAAAAAAXXXXNOPSLIDESHELLCODE">Cooler Than Centra Spike</object>

causes an exception. "0x70bf6c55" reference memory at "0x58585858". can't be written.
70BF6C55 mov byte ptr [edi],al

By supplying a valid 'writeable' address we bypass this exeception and end up with.

Unhandled exception. Access Violation at 0x41414141.

Having a look at the address that we used for the valid writeable address we can see
a full copy of our exploit string.

Thus if we plug our writeable address instead of x, the write will copy out shellode
to our 'known' writeable address space. Then by using an adjusted value for the AAAA
we can jump straight to the 'known' location of our shellcode.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Hopefully Drew will make some comments around the difference's between these. Perhaps
different buffer sizes affect different versions differently?.

Brett

-----Original Message-----
From: Dave [mailto:chaboyd77@yahoo.com]
Sent: Thursday, June 05, 2003 3:45 PM
To: vuln-dev@securityfocus.com
Subject: Exploiting new IE Object Type Overflow

Hi,

I've had really good success with basic overflows and have been trying to attempt something moderate+. I've successfully duplicated the overflow (IE Object Type) (ESP doesn't seem to be overwritten, but EDI is). However, since the value located in EDI is referenced then program flow can be controlled?? I just can't seem to do anything with EDX as stated in the EEYE Advisory..

"This allows us to take control of key registers so as to run code that we specify, which will be available at the EDX register.

On my system (2000 Pro SP3) EDX always has a value of 0 and nothing I do changes its value or any other registers value (besides EDI). Also, this is different from a regular stack overflow as placing the address of a JMP ESP in EDI doesn't always seem to be gauranteed to point to my code.

Is there something really easy I'm missing here? Thanks,
Dave Received on Fri Jun 6 14:19:27 2003

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek