3COM TFTPD Overflow: SEH Overwrite

From: jeremy.junginger@gmail.com
To: vuln-dev@securityfocus.com
Subject: 3COM TFTPD Overflow: SEH Overwrite

I'm attempting to exploit an already known bug in 3COM TFTPD server, and execute "calc.exe" with my shellcode.  I have control of ECX/EIP, and can overwrite both SEH and pointer to next SEH successfully, and have used:

Pointer to next SEH: \xeb\x10\x90\x90
SEH: \x69\x12\xab\x71 (POP/POP/RET in  ws2_32.dll)

A full writeup with screenshots is available at:

I'm getting "Debugged program was unable to process exception", so I hit shift+f9 (in olly) and it terminates with some strange exit code.  Could you take a peek and see what I'm missing here?

Thanks guys!


Copyright © 1995-2020 LinuxRocket.net. All rights reserved.