Hi List,
I discovered a buffer overflow in a networked application that my
company uses. I plan to notify the company that writes the program,
but I'd like to develop sample exploit code before I do so they'll
take it more seriously. I've never written exploit code, but I do
have experience with coding, network security, etc. In the past
couple of weeks I've been looking at a lot of exploit code, reading up
on metasploit, and working with Windbg. Basically, their program
listens on a TCP port for a connection that sends a username/password
in an XML message. They don't bounds-check either username (overflows
after 45 chars) or password (overflows after 23 chars). Playing with
larger inputs, I am able to get a payload sent, and can get values
into EAX, EDX, and EIP at various points. The problem I've been
having is that my payload ends up at address 0x0012E6B4 and if I try
to get that address into EIP, my entire message is rejected for
containing an x00 character. Here's what I've found about what I can
send:
(23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into
EDX->EIP)(up to 4500 bytes)
Clearly that last block would be a great place for a payload, but I
just can't seem to get EIP to what I want. Here are the last three
lines of the program disassembly:
mov edx,dword ptr [eax]
push eax
call dword ptr [edx+8]
That last line is where the debugger keeps stopping because since I
haven't been able to put in the address I want (0012...), I've been
using invalid memory addresses as space hoders (\xb4\xe6\x12\xcc).
I'm not sure if anyone can help, but it feels like I'm very close. I
can also send along my current metasploit ruby file if that would
help. If anyone has any suggestions, I'd greatly appreciate it.
Thanks,
-Webster
Received on Apr 29 2007
Intro
