Re: hard-coded windows exploits

From: Gerardo Richarte (core.lists.bugtraq@CORE-SDI.COM)
Date: Wed Nov 17 1999 - 11:25:15 PST

Next message: Aleph One: "[Debian] New version of bind released"

Previous message: Fabian Kroenner: "Re: Windows NT update carries bug"
Maybe in reply to: Jeremy Kothe: "hard-coded windows exploits"
Next in thread: Thomas Dullien: "Re: hard-coded windows exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jeremy Kothe wrote:
>
> Just a general note concerning Windows overflows - most (if not all) of the
> publicly available exploits I have seen floating around are still using
> hard-coded addresses for system calls.
>
> Is this the only way to do this? Note that this method has been around for a
> while, but I haven't seen any public releases of it. If anyone knows of any
> other ways....


        I don't think that this is the only way to do it, what about
using direct
system calls? you don't need addresses for that, just call INT 2e/2c/2b
with the
correct registers...

        I can add to this, that it may be a little harder to do, but
anyway,
kernel32.dll calls INTs or calls ntdll.dll that uses INT 2e/2c/2b to
talk with NT's kernel, so everithing looks like possible with INTs.

        richie

--
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com

--- For a personal reply use gera@core-sdi.com

Next message: Aleph One: "[Debian] New version of bind released"
Previous message: Fabian Kroenner: "Re: Windows NT update carries bug"
Maybe in reply to: Jeremy Kothe: "hard-coded windows exploits"
Next in thread: Thomas Dullien: "Re: hard-coded windows exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:07 PDT