Log in

View Full Version : Tracing into IIS


mashedpatatas
March 19th, 2003, 04:40
Can anyone help me with a problem...

I have the CODERED packet dump and tried to infect my IIS server with it, and it succeeded.

Now, what I want is to breakpoint into the CODERED virus while trying to execute in SoftICE. What do I breakpoint in SoftICE to get there?

TIA!

dELTA
March 19th, 2003, 11:06
If it's a pure stack buffer overflow (i.e. not just redirecting the execution to a heap buffer with an overflowed return address), it should work to set a memory execution breakpoint on the entire stack (Note: NOT a BPX).

If you know in what function it happens, you can narrow it down to a smaller stack area, if a large area execution breakpoint won't work, or even simply put a memory write breakpoint on the return address of the function on the stack.

dELTA

evlncrn8
March 19th, 2003, 11:37
fill the code u inject with 0cch
set i3here on in softice
send the packet.. wait for the break
considerably easier