|
Vulnerability Development
mailing list archives
Re: 3COM TFTPD Overflow: SEH Overwrite
From: lists () skilltube com
Date: Mon, 04 Feb 2008 18:31:51 +0100
What vulnerability are you trying to exploit? This one?
http://www.securityfocus.com/bid/21322
In your document, you say
"I look for POP/POP/RET ws2_32.dll (to avoid SafeSEH restrictions?)"
are you telling or asking? Can you please provide a little more info.
Otherwise it is hard to help here. If you try to exploit the
vulnerability mentioned above, send the following request (perl style):
$buffer="\x00\x01";
$buffer .=("\x41\x00");
$buffer .=("A"x480);
That should give you control over eip. By selecting the right return
address, you end up in a reliable exploit.
Quoting jeremy.junginger () gmail com:
I'm attempting to exploit an already known bug in 3COM TFTPD server,
and execute "calc.exe" with my shellcode. I have control of
ECX/EIP, and can overwrite both SEH and pointer to next SEH
successfully, and have used:
Pointer to next SEH: \xeb\x10\x90\x90
SEH: \x69\x12\xab\x71 (POP/POP/RET in ws2_32.dll)
A full writeup with screenshots is available at:
http://filebin.ca/pmuwqm/SEHOverwrite.rtf
I'm getting "Debugged program was unable to process exception", so I
hit shift+f9 (in olly) and it terminates with some strange exit
code. Could you take a peek and see what I'm missing here?
Thanks guys!
-jj
 By Date 
By Thread
Current thread:
- Re: 3COM TFTPD Overflow: SEH Overwrite lists (Feb 04)
|
Intro
