IE version:6.0.2800.1106 I too seem unable to replicate the overflow in a way described in the eEye advisory, but there's always more than one way to skin a cat. <object type="[/x64]AAAAAAAAAAAAXXXXNOPSLIDESHELLCODE">Cooler Than Centra Spike</object> causes an exception. "0x70bf6c55" reference memory at "0x58585858". can't be written. 70BF6C55 mov byte ptr [edi],al By supplying a valid 'writeable' address we bypass this exeception and end up with. Unhandled exception. Access Violation at 0x41414141. Having a look at the address that we used for the valid writeable address we can see a full copy of our exploit string. Thus if we plug our writeable address instead of x, the write will copy out shellode to our 'known' writeable address space. Then by using an adjusted value for the AAAA we can jump straight to the 'known' location of our shellcode. Hopefully Drew will make some comments around the difference's between these. Perhaps different buffer sizes affect different versions differently?. Brett -----Original Message----- From: Dave [mailto:chaboyd77at_private] Sent: Thursday, June 05, 2003 3:45 PM To: vuln-devat_private Subject: Exploiting new IE Object Type Overflow Hi, I've had really good success with basic overflows and have been trying to attempt something moderate+. I've successfully duplicated the overflow (IE Object Type) (ESP doesn't seem to be overwritten, but EDI is). However, since the value located in EDI is referenced then program flow can be controlled?? I just can't seem to do anything with EDX as stated in the EEYE Advisory.. "This allows us to take control of key registers so as to run code that we specify, which will be available at the EDX register. On my system (2000 Pro SP3) EDX always has a value of 0 and nothing I do changes its value or any other registers value (besides EDI). Also, this is different from a regular stack overflow as placing the address of a JMP ESP in EDI doesn't always seem to be gauranteed to point to my code. Is there something really easy I'm missing here? Thanks, Dave
This archive was generated by hypermail 2b30 : Fri Jun 06 2003 - 11:08:50 PDT