Re: static dll's for windows buffer overflows

From: Ryan Permeh (ryanat_private)
Date: Mon Sep 24 2001 - 09:19:09 PDT

Next message: Petr Baudis: "Re: Bug in Apache 1.3.20 Server - Hackemate Research"

Previous message: foobat_private: "Re: static dll's for windows buffer overflows"
In reply to: foobat_private: "Re: static dll's for windows buffer overflows"
Next in thread: Dom De Vitto: "Web Application Testers."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

microsoft has offered a lot of help in this, by providing their dll library
which tells which dll's were shipped with x sp or os version. check on
msdn.microsoft.com.  I tend to perfer looking for useable jump points in
application provided code(provided dll's), preferably in the code you are
overflowing.  This seems to work best for me, because if the code contains
an overflow, and there is a useable jump point, if the overflow is there, so
is the jump point:)

As far as i've seen, there is no "magic bullet" of jumppoints, a pretty
decent choice if you need to hit an os dll is often kernel32.dll, or msvcrt.
Another technique you may chose to use is to avoid application code
altogether, and jump directly to the stack or the heap.  Often, you don't
know your specific addresses, but if size isn't an issue, a decent nop sled
can compensate for slight deviations.

Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities

----- Original Message -----
From: <foobat_private>
To: "Franklin DeMatto" <franklin.listsat_private>
Cc: <vuln-devat_private>
Sent: Monday, September 24, 2001 4:30 AM
Subject: Re: static dll's for windows buffer overflows


>
> > Windows buffer overflows almost always require knowledge of offsets in
> > dll's.  Even if rva is used, usually one offset is still known, to jmp
to
> > where the code is (e.g., let's say the shellcode is pointed to by eax,
we
> > need to know the offset of somewhere to jmp eax).  Which dll's are the
most
> > static?  For the jmp instruction, we can use any dll, as long as it has
> > those bytes (i.e., we are not limited to kernel, user, and gdi).  Which
> > dll's are the best to use, and why?
>
> Using dll's for the jmp's causes problems when different service packs are
> encountered.  I usually grab a list of all the dlls loaded by a process
> (dumpbin, pex or msvc will do this), narrow down the to the ones
> containing a usuable jmp/call instruction, and then pick the one with the
> oldest date in the newest service pack.  This way, the same dll will be
> used in most (all?) earlier service packs.
>
> Also, dll's with addresses that are ascii printable are good for filtered
> buffer overflows - ie 0x77500000 (clbcatq.dll) == 'gP..' in internet
> explorer 6.
>
> Usually the choices are limited however.
>
> - foob
>
>
>

Next message: Petr Baudis: "Re: Bug in Apache 1.3.20 Server - Hackemate Research"
Previous message: foobat_private: "Re: static dll's for windows buffer overflows"
In reply to: foobat_private: "Re: static dll's for windows buffer overflows"
Next in thread: Dom De Vitto: "Web Application Testers."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 09:52:03 PDT