Re: static dll's for windows buffer overflows

From: Enrique A. Compañ Gzz. (enriqueat_private)
Date: Mon Sep 24 2001 - 05:51:28 PDT

Next message: Keith.Morgan: "RE: Bug in Apache 1.3.20 Server - Hackemate Research"

Previous message: dullienat_private: "Re: static dll's for windows buffer overflows"
In reply to: Franklin DeMatto: "static dll's for windows buffer overflows"
Next in thread: foobat_private: "Re: static dll's for windows buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The best way to handle functions is by looking it on the ITtable of the base
executable.

I've almost finished the new version of my shellcode, this one is ITable
based, at a givem
executable base addr (works perfectly with any Win32). I'm also working in a
polymorphic
engine to create alphanumeric shellcode using my very own encoding method...
it works.
I'll post my work when it's ready, I have too much work to do.

You say that even if you use the rva (I think what you mean is IT or ET) an
offset is requiered.
Well yeah, that's true BUT you only need to know the base address of the
executable,
generally at 0400000h (most of the time), or for example, inetinfo prefered
base = 01000000h. That's not a problem at all. Base addr's are constant.

So if you totally wanna avoid even the base address, then you should do a
big memory scan, and lookfor "MZ", and then scan the info from there and
determine if it is the executable base address
or the imported library you're looking for (actually I wrote a shell that
does this).

Static DLLs? Kernel32 is one to avoid. I've found shell32 to be static in
almost all versions
of Win 9x for a given "jmp" instruction... I don't know why but I found this
to be true some
time ago when I wrote an exploit for IE.It worked in Many Win95,98s and
Me's.

----- Original Message -----
From: "Franklin DeMatto" <franklin.listsat_private>
To: <vuln-devat_private>
Sent: Sunday, September 23, 2001 11:35 PM
Subject: static dll's for windows buffer overflows


> Windows buffer overflows almost always require knowledge of offsets in
> dll's.  Even if rva is used, usually one offset is still known, to jmp to
> where the code is (e.g., let's say the shellcode is pointed to by eax, we
> need to know the offset of somewhere to jmp eax).  Which dll's are the
most
> static?  For the jmp instruction, we can use any dll, as long as it has
> those bytes (i.e., we are not limited to kernel, user, and gdi).  Which
> dll's are the best to use, and why?
>
>
> (BTW, I would like to suggest that the term "buffer overflow" be replaced
> with the term "memory overwrite," as there are many forms besides buffer
> overflow, such as format string, malloc (0) mangling, etc. )
>
>
> Franklin DeMatto
> Senior  Analyst, qDefense Penetration Testing
> http://qDefense.com
> qDefense: Making Security Accessible
>

Next message: Keith.Morgan: "RE: Bug in Apache 1.3.20 Server - Hackemate Research"
Previous message: dullienat_private: "Re: static dll's for windows buffer overflows"
In reply to: Franklin DeMatto: "static dll's for windows buffer overflows"
Next in thread: foobat_private: "Re: static dll's for windows buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 08:34:03 PDT