The best way to handle functions is by looking it on the ITtable of the base executable. I've almost finished the new version of my shellcode, this one is ITable based, at a givem executable base addr (works perfectly with any Win32). I'm also working in a polymorphic engine to create alphanumeric shellcode using my very own encoding method... it works. I'll post my work when it's ready, I have too much work to do. You say that even if you use the rva (I think what you mean is IT or ET) an offset is requiered. Well yeah, that's true BUT you only need to know the base address of the executable, generally at 0400000h (most of the time), or for example, inetinfo prefered base = 01000000h. That's not a problem at all. Base addr's are constant. So if you totally wanna avoid even the base address, then you should do a big memory scan, and lookfor "MZ", and then scan the info from there and determine if it is the executable base address or the imported library you're looking for (actually I wrote a shell that does this). Static DLLs? Kernel32 is one to avoid. I've found shell32 to be static in almost all versions of Win 9x for a given "jmp" instruction... I don't know why but I found this to be true some time ago when I wrote an exploit for IE.It worked in Many Win95,98s and Me's. ----- Original Message ----- From: "Franklin DeMatto" <franklin.listsat_private> To: <vuln-devat_private> Sent: Sunday, September 23, 2001 11:35 PM Subject: static dll's for windows buffer overflows > Windows buffer overflows almost always require knowledge of offsets in > dll's. Even if rva is used, usually one offset is still known, to jmp to > where the code is (e.g., let's say the shellcode is pointed to by eax, we > need to know the offset of somewhere to jmp eax). Which dll's are the most > static? For the jmp instruction, we can use any dll, as long as it has > those bytes (i.e., we are not limited to kernel, user, and gdi). Which > dll's are the best to use, and why? > > > (BTW, I would like to suggest that the term "buffer overflow" be replaced > with the term "memory overwrite," as there are many forms besides buffer > overflow, such as format string, malloc (0) mangling, etc. ) > > > Franklin DeMatto > Senior Analyst, qDefense Penetration Testing > http://qDefense.com > qDefense: Making Security Accessible >
This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 08:34:03 PDT