[framework] ani_loadimage_chunksize problem
Thomas Werth
security at vahle.de
Wed Oct 24 06:34:39 CDT 2007
Dear List,
I'm having problems using the ani_loadimage_chunksize exploit with ie6
on win XP SP2 German.
've investigated what happens on windows site using IDA.
With default adress for jmp esp an exception is thrown :
"Memory could not be written The instruction at 0x0040afff referenced
memory at 0x0040afff. The memory could not be written (0x0040afff ->
0040afff)"
I looked up that segment and it was marked as R & D and public const.
Well i came around this problem using another adress as jmp esp.
>From ws2_32.dll "0x71a19372 push esp; ret" is taken.
Now the jmp esp is donw and lands in stack.
But then the same exception is thrown.
"Memory could not be written The instruction at 0x12decc referenced
memory at 0x12decc. The memory could not be written (0x12decc -> 12decc)"
Strange is that Segment is marked as W & D public Stack.
So write access should be granted...
Altouhg why in generell is there a write access violation when
performing a nop or former a jmp esp ?
Any help and clarification is welcome.
regards,
Thomas
More information about the framework
mailing list