Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Re: 3COM TFTPD Overflow: SEH Overwrite

Re: Re: 3COM TFTPD Overflow: SEH Overwrite

From: <lists_at_skilltube.com>
Date: Fri, 08 Feb 2008 10:08:40 +0100

Quoting jeremy.junginger_at_gmail.com:

> I was asking if ws2_32.dll was compiled with SafeSEH (didn't know
> about the Olly plugin). Regarding the return address...I already
> have control of EIP, but can't point it directly to the stack, so
> I'm searching for a module with a suitable return address (with
> pop/pop/ret) to help me get back to that buffer. The issue was with
> the return address I was pointing to, and the fact that it the
> module was compiled with SafeSEH. Is that enough detail?
>

Nope, you didn't answer my question regarding the vulnerability you
are trying to exploit. If it turns out to be the transporting mode
issue, than the best place to look for a working return address is the
binary itself. Very reliable and still enough space for the shellcode.

regards
-S

----------------------------------
SkillTube.com
Received on Feb 08 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos