Exploiting new IE Object Type Overflow
From: Dave (chaboyd77_at_yahoo.com)
Date: 06/05/03
- Previous message: Dave Korn: "Re: strcpy bug"
- Next in thread: Brett Moore: "RE: Exploiting new IE Object Type Overflow"
- Reply: Brett Moore: "RE: Exploiting new IE Object Type Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 5 Jun 2003 03:44:40 -0000 To: vuln-dev@securityfocus.com('binary' encoding is not supported, stored as-is)
Hi,
I've had really good success with basic overflows and have been trying to
attempt something moderate+. I've successfully duplicated the overflow (IE
Object Type) (ESP doesn't seem to be overwritten, but EDI is). However,
since the value located in EDI is referenced then program flow can be
controlled?? I just can't seem to do anything with EDX as stated in the
EEYE Advisory..
"This allows us to take control of key registers so as to run code that we
specify, which will be available at the EDX register.
On my system (2000 Pro SP3) EDX always has a value of 0 and nothing I do
changes its value or any other registers value (besides EDI). Also, this
is different from a regular stack overflow as placing the address of a JMP
ESP in EDI doesn't always seem to be gauranteed to point to my code.
Is there something really easy I'm missing here?
Thanks,
Dave
- Previous message: Dave Korn: "Re: strcpy bug"
- Next in thread: Brett Moore: "RE: Exploiting new IE Object Type Overflow"
- Reply: Brett Moore: "RE: Exploiting new IE Object Type Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
