Hi all, I am attempting to write exploit code for the coldfusion heap overflow (still). On advice from various on the secfocus list i have installed softice and located the exception handler in question. The handler code starts at 0x77f82b95 The code I am trying to manipulate is at 0x77f8e43b Mov ecx, [ebp+0x18] 0x77f8e43e call ecx where ebp changes each time the exception is called I can control the following values within the following instruction, mov [ecx] , eax where ecx and eax can be any value I specify. The problem (or my lack of understanding) is that the stack frame is set-up when the exception is handled and i can't seem to write to [ebp+0x18] due to the fact it changes etc (stop me if i'm wrong) attempting to overwrite the instruction (sorry if this is a basic can't do) with mov [ecx],eax where ecx = 0x77f8e43b and eax =0x41414141 doesn't seem to do anything ? Any help or pointers are greatly appreciated. Thanks in advance. Kind Regards Gary Sec-1
This archive was generated by hypermail 2b30 : Sat Nov 16 2002 - 22:17:36 PST