Just saw this on Twitter, an MSF exploit published: http://www.rec-sec.com/2009/10/16/httpdx-buffer-overflow-exploit/
On Fri, Oct 9, 2009 at 7:58 PM, <pankaj...@gmail.com> wrote: > The addr value used is required to reach the ret instruction. The value > used 0x63b8624f lies in idata segment of n.dll > Note that in order to reach ret instruction, > value at addr+0x0e0f should be non-zero for > if(isset(client->serve.redirect)) to succeed => 004069E1 CMP BYTE PTR > DS:[EAX+0E0F],0 > and > addr+0x0f24 should be writable for client->state = STATE_DONE to execute. > => 00406AAF MOV DWORD PTR DS:[EAX+0F24],0 > > The other two addresses used are > ret1 = 0x64f8134b (pop ret in core.dll) to pop addr and return to ret2 > ret2 = 0x7c874413 (jmp esp in kernel32.dll) to jump to shellcode following > ret2. > > Though I am able to get a shell, the retn/offsets used are not universal. > > Thanks, > Pankaj > -- Best wishes, Freddie Vicious http://twitter.com/viciousf
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
