[Full-disclosure] Heap overflow problem----Help

[Tauqeer Ahmad <ahmadtauqeer@xxxxxxxxx>]

Hi all
   
  I am exploiting a heap-based buffer overflow in one of the ftp server on 
window 2000 advanced server with no SP. The problem that I face is that when 
using UEF(unhandled exception filter) method it doesn?t work. The following is 
the data:
   
  EAX  à  77E4FB7A -----  Address of CALL DWORD PTR [ESI + 4C]
  ECX  à  77EE044C  -----  pointer to UnhandeledExceptionFilter
   
  When program executes the following instruction what happens is explained 
beside the instruction:
   
  MOV DWORD PTR DS:[ECX], EAX -----THIS IS OK ADDRESS IS COPIED AT UEF
  MOV DWORD PTR DS:[EAX+4], ECX --- THIS ACCESS VIOLATES
   
  The reason it access violates is that [EAX + 4] is pointing to code segment 
which is readable. When it?s trying to write at it the program crashes.
   
  What I want to ask is that where am i going wrong? Every thing seems to be 
right but logic says that it must crash at MOV DWORD PTR DS:[EAX+4], ECX. What 
I am getting from all this is that I am missing the UEF(However it is unlikely 
since i have disassembled SetUnhandledExceptionFilter function and got the 
address from there) because when the instruction access violated UEF should 
have been executed and control should have been transferred to CALL DWORD PTR 
[ESI + 4C]. Please correct me if I am wrong or if I am using the wrong method 
on wrong OS. Furthermore, when I run the server without debugger and exploit it 
the EAX and ECX ends up some where else. I mean to say that provided data don?t 
get copied on the registers. Advance thanks for the help.
   
  Regards,
   
  Tauqeer Ahmad
   
   
   
   
   

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/