On Mon, 08 Nov 2004 21:24:00 EST, Jack C said: > Run in OllyDbg, we find that the above string makes the program attempt > to JMP to 0x00420042. It just so happens that Hex 42 is a "B". So the > two B's at the end of the exploit string change the instrucation pointer. > > As far as I can tell, this is not exploitable to run a shellcode because > of the fact that NULL's are inserted between charactors. Ah, but what if the 2 trailing B's are replaced by 2 Unicode chars that together take up 4 bytes? ;) > But besides > that, it would only give the same privliges that you already have to run > the program in the first place. It simply points out bad coding. If you can find a way to programmaticaly call the same code, this can be leveraged by a trojan code. Consider: If there was a way to get a user to click on a URL that resolved to a file share and fall into this code, this could be used as an initial attack point for a worm.....
Attachment:
pgpy1uWucZPk5.pgp
Description: PGP signature
