Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114304353498105195">Will Dormann (wdormann@infosec.exchange)'s status on Saturday, 12-Apr-2025 01:16:44 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/114281733482760943" rel="in-reply-to">in reply to</a></div></section><article><p>If we poke around with various sizes/contents of the buffer that we send, we can conclude that we can indeed control EIP. (Yes, EIP, since web is a 32-bit app 😂).</p><p>However, given that the address space of web has nothing that matches up with ASCII-based number/. addressing, I'm curious what these "sophisticated means" being used ITW are.  Maybe something data-based?  🤔</p><p>Also LOL at Ivanti's:</p><p>it was evaluated and determined not to be exploitable</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4840199#notice-9556526">In conversation</a><time datetime="2025-04-12T01:16:44+09:00" title="Saturday, 12-Apr-2025 01:16:44 JST">about 16 days ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114304353498105195" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114304353498105195">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4449407">web process in gdb.
Access violation with EIP = 0x31323334</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/304/326/836/230/004/original/07e7e7aa51897409.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/304/326/836/230/004/original/07e7e7aa51897409.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4449408">Executable sections of the web process that don't start with "F"
Only section begins with "56", which isn't an ASCII number.</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/304/346/541/697/796/original/34085e164b9a483e.jpg" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/304/346/541/697/796/original/34085e164b9a483e.jpg</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Saturday, 12-Apr-2025 01:16:44 JST Will Dormann
in reply to
If we poke around with various sizes/contents of the buffer that we send, we can conclude that we can indeed control EIP. (Yes, EIP, since web is a 32-bit app 😂).
However, given that the address space of web has nothing that matches up with ASCII-based number/. addressing, I'm curious what these "sophisticated means" being used ITW are. Maybe something data-based? 🤔
Also LOL at Ivanti's:
it was evaluated and determined not to be exploitable
In conversationabout 16 days ago from infosec.exchangepermalink
Attachments
1. web process in gdb. Access violation with EIP = 0x31323334
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/304/326/836/230/004/original/07e7e7aa51897409.png
2. Executable sections of the web process that don't start with "F" Only section begins with "56", which isn't an ASCII number.
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/304/346/541/697/796/original/34085e164b9a483e.jpg

Public

Embed Notice

HTML Code

Corresponding Notice