ptr0x
February 12th, 2014, 18:51
Hi there, thanks for coming here =D
I really don't know if it is a "advanced reversing" issue but I guess it isn't a newbie issue, so I am here. Sorry if here isn't the correct place to post this.
I'm exploiting this stack overflow where the PE in question is a server-application that don't have any included module.
I have a version of this server which isn't the actual version running on the official server publisher (which I'm trying to exploit). The version I have is about 1 year ago and the flaw I found on my version of the server is still in operation on the official server (I could see this crashing the application with a long string data passed through client-packet).
It is a classic case where the programmer fill 2 local string buffers with client-packet data and only check the client-data string size after the copy (sscanf is used). Because of this I really think the call stack have the same length on the official server.
The problem comes when searching for a "JMP ESP" instruction to overwrite the return address of the function. The main-module is located at 0x400000 and ends at 0x580000 +- so I can't use any of these address due to the null-character.
I can't even search for another included module because as I said before this application just don't have.
I'm really lost =[
I don't have any idea of what I can do. I already did a extensive search for any text that could help me but found nothing =[ The most near I found tell to search for included modules (which probably don't have any exploit protection as ASLR for example).
I'm really instigated to do this, to learn more about this.
If you can help me with anything please take a sit :P
Thanks you very very much and sorry for the bad english
I really don't know if it is a "advanced reversing" issue but I guess it isn't a newbie issue, so I am here. Sorry if here isn't the correct place to post this.
I'm exploiting this stack overflow where the PE in question is a server-application that don't have any included module.
I have a version of this server which isn't the actual version running on the official server publisher (which I'm trying to exploit). The version I have is about 1 year ago and the flaw I found on my version of the server is still in operation on the official server (I could see this crashing the application with a long string data passed through client-packet).
It is a classic case where the programmer fill 2 local string buffers with client-packet data and only check the client-data string size after the copy (sscanf is used). Because of this I really think the call stack have the same length on the official server.
The problem comes when searching for a "JMP ESP" instruction to overwrite the return address of the function. The main-module is located at 0x400000 and ends at 0x580000 +- so I can't use any of these address due to the null-character.
I can't even search for another included module because as I said before this application just don't have.
I'm really lost =[
I don't have any idea of what I can do. I already did a extensive search for any text that could help me but found nothing =[ The most near I found tell to search for included modules (which probably don't have any exploit protection as ASLR for example).
I'm really instigated to do this, to learn more about this.
If you can help me with anything please take a sit :P
Thanks you very very much and sorry for the bad english