Just a general note concerning Windows overflows - most (if not all) of the
publicly available exploits I have seen floating around are still using
hard-coded addresses for system calls.
I thought people might want to know that it is possible (and, indeed quite
easy) to get the addresses of system functions in a system independant way.
The technique is simple - all windows processes are launched (called) from
Kernel32.dll originally, so at the TOP of the stack (give or take a DWORD,
depending on launch environment) there is a pointer to code inside
kernel32.dll.
Given that the top of the stack is stored at fs:4, it is easy to scan from
the top of the stack, looking for kernel32.dll's pe header.
Using an SEH block to skip over incorrect addresses on the stack, we
can locate and lookup whatever functions we want from Kernel32 (and from
there to any other .dll)
Using checksums of function names instead of the actual names, and an
optimized GetProcAddress routine, results in generic code of about 200 bytes
which can locate kernel32 and get the addressses of any functions,
completely irrespective of the version of Windows.
Note that most overflows will still require an initial hard-coded
address to overwrite the stack return or the heap with, but there is no need
for hard-coded function calls.
Is this the only way to do this? Note that this method has been around for a
while, but I haven't seen any public releases of it. If anyone knows of any
other ways....
Jeremy Kothe
Hi to any aussies (expats or otherwise) out there - even if you are from
Queensland ;.
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:12:59 PDT