Re: GetPC code (was: Shellcode from ASCII)

From: Berend-Jan Wever (SkyLinedat_private)
Date: Tue Jul 01 2003 - 00:59:43 PDT

Next message: Costin Ionescu: "Re: GetPC code (was: Shellcode from ASCII)"

Next in thread: Costin Ionescu: "Re: GetPC code (was: Shellcode from ASCII)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message ----- 
From: "Gerardo Richarte" <geraat_private>
To: <vuln-devat_private>
Sent: Monday, June 30, 2003 16:11
Subject: Re: GetPC code (was: Shellcode from ASCII)


> Berend-Jan Wever wrote:
>
>    Well... nop slides are not a problem: if you have some approximation of
> where in memory the shellcode may be, you can always scan for it, and get
> the right address where it starts, but if you don't know where it is, you
may
> make the process crash while scanning for the shellcode in memory... You
> could also change nops for inc %eax (or any other register), and then, if
> you knew the initial value for eax, you would know how many "nops" were
> executing before the first byte of the shellcode :-)
I don't see how you are going to scan memory if you can not make your code
loop (jmp-ing back uses a negative dislocations, which is >0x80 and not
alpha numeric)
The "counting" nopslide is a great idear, and since I was going to get the
baseaddress of the shellcode from a register, you can use the "inc %ebx" (or
any other register except eax) too ;)

>     On the other hand, there ARE some exploits where you don't know the
> address of the shellcode, mainly because the vulnerable program is putting
> it for you in the right place (wu-ftp's ~{, system V login's, and some ssh
> I remember could be done like this). On that cases you probably can't know
> the address of your shellcode... but still, there may be some other means
of
> getting it (and not just mov %eip, %eax).
If it's on the stack, esp or ebp can be used and possibly some other
registers.
If it's on the heap, you might be able to find some static pointer or
pointer on the stack the gives you the baseaddress of your shellcode.
Too bad you can not add or sub an offset from a register.

>
> > PS. hi gera, halvar ;)
>
>     :-)
>
>     gera
 :P:p:P hehehe

SkyLined

PS. "Alpha", my _uppercase_ alphanumeric shellcode generator is a few days
away from completion ;)

PS2. The latest IE BoF can be exploited ;)
(let me know if you want it Sunil)

Next message: Costin Ionescu: "Re: GetPC code (was: Shellcode from ASCII)"
Next in thread: Costin Ionescu: "Re: GetPC code (was: Shellcode from ASCII)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 01 2003 - 22:39:13 PDT