Berend-Jan Wever wrote:
> > PS: Of course, as halvar told me when I through this questions at
> > him once: how did you jump to your code in the first place [if you
> > don't know its address]. And well... he does have a strong point
> > there... but heh, it's still a lot of fun to think about this small
> > pieces of code, isn't it? :-)
> Hmmm... isn't halvar forgetting nopslides and other brute-force attacks...?
Well... nop slides are not a problem: if you have some approximation of
where in memory the shellcode may be, you can always scan for it, and get
the right address where it starts, but if you don't know where it is, you may
make the process crash while scanning for the shellcode in memory... You
could also change nops for inc %eax (or any other register), and then, if
you knew the initial value for eax, you would know how many "nops" were
executing before the first byte of the shellcode :-)
On the other hand, there ARE some exploits where you don't know the
address of the shellcode, mainly because the vulnerable program is putting
it for you in the right place (wu-ftp's ~{, system V login's, and some ssh
I remember could be done like this). On that cases you probably can't know
the address of your shellcode... but still, there may be some other means of
getting it (and not just mov %eip, %eax).
> PS. hi gera, halvar ;)
:-)
gera
This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 17:08:49 PDT