Ultimi Articoli
- Opera 9.62 URL Handler Heap Overflow
- Exploiting BitTorrent
- Impossible is Nothing
- Having Fun With Windogs
- A Linksys video and an IGSuite exploit
- A Sneak Preview
- xine-lib NSF Demuxer Buffer Overflow Vulnerability
- Pligg 9.9.0 SQL Injection Vulnerability
- Vuln: Dovecot ACL Plugin Multiple Security Bypass V..
-
Dovecot ACL Plugin Multiple Security Bypass Vulnerabilit..
- Vuln: MyTopix 'send' Parameter SQL Injection Vulner..
-
MyTopix 'send' Parameter SQL Injection Vulnerability ..
- Vuln: HP Linux Imaging and Printing System Privileg..
-
HP Linux Imaging and Printing System Privilege Escalatio..
Categories
Commenti
- k`sOSe:Hi send9, feel
- k`sOSe:heya snip, than
- send9:Nice. I don
- snip:Guido, questa m
- fXsTar:Infernet eXplod
- Ghvwcbvn:Excellent work,
- Tnggbadm:Very Good Site
- Votarwqt:Cool site goodl
- Bbzamlcq:This site is cr
- k`sOSe:yeah indeed, my
- nopper:w00ting club :)
- k`sOSe:well said patri
- patrik:dewio 4tvun9wnp
- k`sOSe:thx
- sweet :cool shit you g
- k`sOSe:Fossi in te ci
- devon:Appena fixano r
The sexy side of information security, benvenuti su PornoSecurity!
Impossible is Nothing
Posted on 2008-08-25 12:59:42 in PornoSecurity
I was looking for a vuln to write an exploit for when I found this PoC.
The author wrote:
"The reason why there isnt any shellcode here is because the client is
coverting the junk/buffer data to unicode so its corrupting the shellcode,
ive tried sending unicode buffer but the same problem occurs.
if anyone else can get further please let me know. but i doubt you can"
It is for this reason, a small suggestion of impossibility(copyright Phantasmal Phantasmagoria) that i decided to write this. Actually it was pretty funny :)
The first problem is how to redirect the execution flow to our buffer, the buffer can be found at three different locations:
- at some address on the stack converted to unicode
- at some address on the heap again converted to unicode
- at some address on the heap in plain ASCII
Unfortunately none of these addresses are unicode friendly :(.
But.. there is an address on the stack that points in the middle of the buffer(the one on the stack), all we need is to pop the stack 6 times and then return.
To achieve this we return 2 times on a unicode friendly pop,pop,pop,ret.
But.. there is an address on the stack that points in the middle of the buffer(the one on the stack), all we need is to pop the stack 6 times and then return.
To achieve this we return 2 times on a unicode friendly pop,pop,pop,ret.
The second problem is that the buffer on the stack is converted to unicode(so \x41 -> \x00\x41) *and* must be, with some exceptions, in the \x01 -> \x59 space... so I decided to write a unicode friendly ASM stub that will load the address of the ASCII version of the buffer in EAX using offsets from a register(somewhat related to our buffer), push it and then return.
On my box this works 100 times out of 100 :)
Check it out here