which one will you consider a better approach? placing shellcode before or after return addr? ----- Original Message ----- From: DownBload <downbloadat_private> Date: 26 Jul 2003 12:39:18 -0000 To: vuln-devat_private Subject: Re: Some help With BOF Exploits Writing. > In-Reply-To: <Law9-F5967EKRuYDlrj00009721at_private> > > Remote bof exploitation is little bit harder, because you can't just > do "movl %esp, %eax" for finding return address. In classic buffer > overflows, for remote exploits, try to install vuln. application on your > host and find return address. Then you can code exploit which will > probably work on same architecture, OS and application version as yours. > For remote (local also) exploits, you can use return address brute force > method. > Remote format string exploits are much more hackers-friendly than classic > buffer overflows in return address finding. You can just pop stack with %x% > x%x%x%x. > > DownBload / Illegal Instruction Labs <www.kamikaza.org> > > > > > >The return address should be before your shellcode, inside the nop's. > > > >[NNNNNNNNNSSSSSSSSSSSSSRET] buffer stored on stack. > >5 1 2 3 4 > >0xFFFFA 0xFFFFD 0xFFFFE grows upwards. > > > >1. Bunch of nop instructions: 0x90, that do nothing, so execution goes to > >the right until your code > > is executed. > > > >2. shellcode. > > > >3. return address, which is calculated to point somewhere within the nop > >operations, this is calculated > > locally, by using the stack pointer esp. see 4. > > > >4. Esp stack pointer points to the top of stack, which is usually here, > >unless there is other data > > on the stack, to calculate the address of the NOP's, you'd get the esp > >address and subtract > > an offset from it depending on the size of the data within the stack. > > > >5. Ebp, the current location inside the stack, so if anything gets > pushed, > >it'll get pushed here and > > ebp will continue to shift to the left as more things are added to the > >stack. > > > >most unix code does this like this: > >----------------------------- > >get_esp() > >{ > >__asm__("movl %esp, %eax"); puts the esp (current stack top) into eax. > Eax > >is the return value > >} of most function calls in C. > > > >//calculate ret, using offset supplied by user. > > > >offset = atoi(argv[1]); will crash if there was no input > >however. Should check first. > >RET = get_esp() - offset; > > > >---------------------------------- > > > >[NNNNNNNNNNNNNSSSSSSSSSSSSSSSRET] > >10 20 30 40 50 60 > > > >simple decimal example. > > > >/exploit 20 > > > >RET = Getesp() - offset > >RET = 60 - 20 > >RET = 40 > > > >crash .. middle of shellcode > > > >/exploit 40 > > > >RET = getesp() - offset > >RET = 60 - 40 > >RET = 20 > > > >Bingo, right in the nops, execution moves to the right until shellcode > >hits.. thats the basic way of > >doing it anyway. > > > >Another method is by putting the shellcode, and alot more nops inside an > >environment variable, to > >increase the size of the padding(NOPs) to increase chances of success and > >have less guesswork. > > > >Anyone want to add to this? > > > >And a question of my own, how does remote exploits accomplish this?? > Thats > >been on my mind for > >quite some time. > > > >deepcode > > > >>From: "theetabond" <theetabondat_private> > >>Reply-To: "theetabond" <theetabondat_private> > >>To: pondermateat_private > >>Subject: Some help With BOF Exploits Writing. > >>Date: 25 Jul 2003 06:56:15 -0000 > >> > >>Hi there DeepCode, > >> I've been reading u'r recent posts on Vul-Dev, and > they > >>were very informative and useful for me. I had some questions in my mind > >>regarding writing buffer overflows on Win32 platform, and i hope may be > you > >>cud help me with that. > >>I had written some exploits ( stack overflow ) for win98 successfully. > But > >>now i want to do the same thing at win2k/winxp platforms. My problem in > >>this is - in calculating the return address which u write over the > previous > >>RET instruction. On win98 i had a util called getcode.exe , which will > scan > >>the memory and list out the jmp eax, ret eax, call eax, call ebx and > >>similar useful addresses which u can use to write at return addresses. > >>Unfortunately this particular tool deosn't work on win2k/Xp. So how can > i > >>calculate the return address on 2k/Xp platform?? Dissembling the > DLLs/EXEs > >>and searching them all for such instances is kinda hard to do. > >> So is there any way/tool which can give me the desired output ?? > >>Thank You Very Much > >>theeta. > >> > >> > > > >_________________________________________________________________ > >Add photos to your e-mail with MSN 8. Get 2 months FREE*. > >http://join.msn.com/?page=features/featuredemail > > > > -- ______________________________________________ http://www.linuxmail.org/ Now with e-mail forwarding for only US$5.95/yr Powered by Outblaze
This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 12:23:50 PDT