O'Reilly logo

A Bug Hunter's Diary by Tobias Klein

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

6.2 Exploitation

To gain control of EIP, I first had to find a suitable target address to overwrite. While searching through the IOCTL dispatch routine, I found two places where a function pointer is called:

[..]
.text:00010D8F            push    2               ; _DWORD
.text:00010D91            push    1               ; _DWORD
.text:00010D93            push    1               ; _DWORD
.text:00010D95            push    dword ptr [eax] ; _DWORD
.text:00010D97            call    KeGetCurrentThread
.text:00010D9C            push    eax             ; _DWORD
.text:00010D9D            call    dword_12460     ; the function pointer is called .text:00010DA3 mov [ebx+18h], eax .text:00010DA6 jmp loc_10F04 [..] .text:00010DB6 push 2 ; _DWORD .text:00010DB8 push 1 ; _DWORD .text:00010DBA push 1 ; _DWORD .text:00010DBC push edi ; _DWORD .text:00010DBD call KeGetCurrentThread .text:00010DC2 push eax ; _DWORD ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required