Re: quick notes

[<oded.horovitz () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Fri, 27 Aug 2004 11:40:08 -0700 H D Moore <hdm-daily-dave () digitaloffense net>
wrote:
> On Friday 27 August 2004 13:27, Dave Aitel wrote:
> > In addition to having the NSS heap overflow working against Windows
> XP
> > SP2 (just to say that it can be done, not that people are running
> > SunONE on Windows),
> Working on XP SP2 here as well. Using a request of 1024 bytes (256
> * ret)
> I was able to hit a "call [edx+0x44]" where edx is controllable.
> ....
> The tricky part of this exploit is determining a static address
> to use for
> the value of edx. This register needs to point to a pointer of your
> >
> shellcode. It is possible to load arbitrary amounts of data into
> the heap
> of the remote process through GET requests with a Content-Length
> set.

You have the best setup for lookaside basing. Just load a controllable

lengthed input to some lookaside entry. and set edx to that entry-0x44

> Dave, are you using this vector to gain eip, or have you found another
> way
> that is easier/more reliable?

Did you Dave? :)

Oded H.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkEzbtwACgkQ24ZQsz/my73HRwCeMe/145BBRFJ1O0RKi+MSZAbOi6wA
mwVYMbDFmoLFWDF76Rn/y5sQ2P2o
=oIS0
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave