[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Remote buffer overflow in httpdx

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Remote buffer overflow in httpdx
From: Freddie Vicious <fred.vicious@xxxxxxxxx>
Date: Fri, 16 Oct 2009 07:42:21 -0700

Just saw this on Twitter, an MSF exploit published:
http://www.rec-sec.com/2009/10/16/httpdx-buffer-overflow-exploit/

On Fri, Oct 9, 2009 at 7:58 PM, <pankaj208@xxxxxxxxx> wrote:

> The addr value used is required to reach the ret instruction. The value
> used 0x63b8624f lies in idata segment of n.dll
> Note that in order to reach ret instruction,
> value at addr+0x0e0f should be non-zero for
> if(isset(client->serve.redirect)) to succeed  => 004069E1  CMP BYTE PTR
> DS:[EAX+0E0F],0
> and
> addr+0x0f24 should be writable for client->state = STATE_DONE to execute.
> => 00406AAF  MOV DWORD PTR DS:[EAX+0F24],0
>
> The other two addresses used are
> ret1 = 0x64f8134b (pop ret in core.dll) to pop addr and return to ret2
> ret2 = 0x7c874413 (jmp esp in kernel32.dll) to jump to shellcode following
> ret2.
>
> Though I am able to get a shell, the retn/offsets used are not universal.
>
> Thanks,
> Pankaj
>



-- 
Best wishes,
Freddie Vicious
http://twitter.com/viciousf

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Drupal XML Sitemap 6.x-1.1 XSS Vulnerability
Next by Date: Re: [Full-disclosure] I miss Netdev.
Previous by thread: Re: [Full-disclosure] Remote buffer overflow in httpdx
Next by thread: [Full-disclosure] A CALL TO ARMS ON RESPONSIBLE DISCLOSURE
Index(es):
- Date
- Thread