Home page logo

bugtraq logo Bugtraq mailing list archives

RE: WebDav Exploit ffs
From: "Exurity Debugs" <exbugs () rogers com>
Date: Thu, 27 Mar 2003 17:02:53 -0500

I don't believe your shell code will work on other Kernel32.dll than the
version with the following ImageBase:
"\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..

Because your code is reversed as:

    mov     eax, [esi]
    add     eax, ebp
    cmp     dword ptr [eax], 50746547h
    jnz     short loc_C0
    cmp     dword ptr [eax+4], 41636F72h
    jnz     short loc_C0
    cmp     dword ptr [eax+8], 65726464h
    jnz     short loc_C0
    mov     eax, [edi+24h]
    add     eax, ebp
    movzx   ebx, word ptr [eax+edx*2]
    mov     eax, [edi+1Ch]
    add     eax, ebp
    mov     ebx, [eax+ebx*4]
    add     ebx, ebp

        ; should jump to found
    add     esi, 4
    inc     edx
    cmp     edx, [edi+18h]
    jnz     short loc_8F
        ; then reached all and could not find, so find another version
So, if the Kernel32.dll happens to be different than the default, it will
simply crash without going too far.
Best regards
Peter Huang
Jumpable, Callable & Overflowing XPoson, New Exploitation Technology on the

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]