Recent Posts
- Scary monsters (and super creeps)
- Happy exploit wednesday!
- All you can spray
- Update: PDF sploits in the wild
- PDF sploits in the wild
- MPEG2TuneRequest 0-day
- Bad guys and sexy sploits: CVE-2009-1537
- Use the source, Luke!
- Vuln: Microsoft Excel Object Type Confusion Remote ..
-
Microsoft Excel Object Type Confusion Remote Code Execut..
- Vuln: Microsoft Excel MDXSET Record Remote Heap Buf..
-
Microsoft Excel MDXSET Record Remote Heap Buffer Overflo..
- Vuln: RETIRED: Microsoft March 2010 Advance Notific..
-
RETIRED: Microsoft March 2010 Advance Notification Multi..
Categories
Comments
- abhi:Hi, I go
- k`sOSe:sorry for that,
- ftk:can you reuploa
- Vincent:Yup, 403.
- DG:403 Forbidden f
- k`sOSe:yep, exactly. t
- Thierry :"assuming
- h4x0r:Yeahhh ! i,m w
- snip:All work and no
- testonly:hi, i tried thi
- k`sOSe:hello w0lf, tha
- w0lf:hello frist of
- k`sOSe:Hi send9, feel
- k`sOSe:heya snip, than
- send9:Nice. I don
- snip:Guido, questa m
- fXsTar:Infernet eXplod
- k`sOSe:yeah indeed, my
- nopper:w00ting club :)
- k`sOSe:well said patri
- k`sOSe:thx
- sweet :cool shit you g
- k`sOSe:Fossi in te ci
- devon:Appena fixano r
PornoSecurity: sexy vulns, porno sploits and the like
Impossible is Nothing
Posted on 2008-08-25 12:59:42 in PornoSecurity
I was looking for a vuln to write an exploit for when I found this PoC.
The author wrote:
"The reason why there isnt any shellcode here is because the client is
coverting the junk/buffer data to unicode so its corrupting the shellcode,
ive tried sending unicode buffer but the same problem occurs.
if anyone else can get further please let me know. but i doubt you can"
It is for this reason, a small suggestion of impossibility(copyright Phantasmal Phantasmagoria) that i decided to write this. Actually it was pretty funny :)
The first problem is how to redirect the execution flow to our buffer, the buffer can be found at three different locations:
- at some address on the stack converted to unicode
- at some address on the heap again converted to unicode
- at some address on the heap in plain ASCII
Unfortunately none of these addresses are unicode friendly :(.
But.. there is an address on the stack that points in the middle of the buffer(the one on the stack), all we need is to pop the stack 6 times and then return.
To achieve this we return 2 times on a unicode friendly pop,pop,pop,ret.
But.. there is an address on the stack that points in the middle of the buffer(the one on the stack), all we need is to pop the stack 6 times and then return.
To achieve this we return 2 times on a unicode friendly pop,pop,pop,ret.
The second problem is that the buffer on the stack is converted to unicode(so \x41 -> \x00\x41) *and* must be, with some exceptions, in the \x01 -> \x59 space... so I decided to write a unicode friendly ASM stub that will load the address of the ASCII version of the buffer in EAX using offsets from a register(somewhat related to our buffer), push it and then return.
On my box this works 100 times out of 100 :)
Check it out here
2009-03-09 13:58:10
testonly: hi, i tried this PoC for XP sp3 but can't execute shell. I didn't find "an address on the stack that points in the middle of the buffer" ??? Others conditions ???