DownBload- So you are saying that the return address will be the same on my local machine as it is on a remote machine (for a particular application on the same archatecture). I have found that most time it is true. Which got me wondering how in the world do two differnet instances of the same OS/arch come up with the same addresses?? Is it luck ? Any knowledge here would be helpful? If you don't mind: When you say "find the return address"; is that the value in the esp/SP at the time when the actural vulnerable function is called ? Thanks, Olaf On Sat, 26 Jul 2003 05:39:18 -0700 DownBload <downbloadat_private> wrote: >In-Reply-To: <Law9-F5967EKRuYDlrj00009721at_private> > >Remote bof exploitation is little bit harder, because you can't >just >do "movl %esp, %eax" for finding return address. In classic buffer >> >overflows, for remote exploits, try to install vuln. application >on your >host and find return address. Then you can code exploit which will >> >probably work on same architecture, OS and application version as >yours. >For remote (local also) exploits, you can use return address brute >force >method. >Remote format string exploits are much more hackers-friendly than >classic >buffer overflows in return address finding. You can just pop stack >with %x% >x%x%x%x. > >DownBload / Illegal Instruction Labs <www.kamikaza.org> > > >> >>The return address should be before your shellcode, inside the >nop's. >> >>[NNNNNNNNNSSSSSSSSSSSSSRET] buffer stored on stack. >>5 1 2 3 4 >>0xFFFFA 0xFFFFD 0xFFFFE grows upwards. >> >>1. Bunch of nop instructions: 0x90, that do nothing, so execution >goes to >>the right until your code >> is executed. >> >>2. shellcode. >> >>3. return address, which is calculated to point somewhere within >the nop >>operations, this is calculated >> locally, by using the stack pointer esp. see 4. >> >>4. Esp stack pointer points to the top of stack, which is usually >here, >>unless there is other data >> on the stack, to calculate the address of the NOP's, you'd get >the esp >>address and subtract >> an offset from it depending on the size of the data within the >stack. >> >>5. Ebp, the current location inside the stack, so if anything gets >> >pushed, >>it'll get pushed here and >> ebp will continue to shift to the left as more things are added >to the >>stack. >> >>most unix code does this like this: >>----------------------------- >>get_esp() >>{ >>__asm__("movl %esp, %eax"); puts the esp (current stack top) >into eax. >Eax >>is the return value >>} of most function >calls in C. >> >>//calculate ret, using offset supplied by user. >> >>offset = atoi(argv[1]); will crash if there was no >input >>however. Should check first. >>RET = get_esp() - offset; >> >>---------------------------------- >> >>[NNNNNNNNNNNNNSSSSSSSSSSSSSSSRET] >>10 20 30 40 50 60 >> >>simple decimal example. >> >>/exploit 20 >> >>RET = Getesp() - offset >>RET = 60 - 20 >>RET = 40 >> >>crash .. middle of shellcode >> >>/exploit 40 >> >>RET = getesp() - offset >>RET = 60 - 40 >>RET = 20 >> >>Bingo, right in the nops, execution moves to the right until shellcode >> >>hits.. thats the basic way of >>doing it anyway. >> >>Another method is by putting the shellcode, and alot more nops >inside an >>environment variable, to >>increase the size of the padding(NOPs) to increase chances of success >and >>have less guesswork. >> >>Anyone want to add to this? >> >>And a question of my own, how does remote exploits accomplish this?? >> >Thats >>been on my mind for >>quite some time. >> >>deepcode >> >>>From: "theetabond" <theetabondat_private> >>>Reply-To: "theetabond" <theetabondat_private> >>>To: pondermateat_private >>>Subject: Some help With BOF Exploits Writing. >>>Date: 25 Jul 2003 06:56:15 -0000 >>> >>>Hi there DeepCode, >>> I've been reading u'r recent posts on Vul-Dev, > and >they >>>were very informative and useful for me. I had some questions >in my mind >>>regarding writing buffer overflows on Win32 platform, and i hope >may be >you >>>cud help me with that. >>>I had written some exploits ( stack overflow ) for win98 successfully. >> >But >>>now i want to do the same thing at win2k/winxp platforms. My problem >in >>>this is - in calculating the return address which u write over >the >previous >>>RET instruction. On win98 i had a util called getcode.exe , which >will >scan >>>the memory and list out the jmp eax, ret eax, call eax, call ebx >and >>>similar useful addresses which u can use to write at return addresses. >> >>>Unfortunately this particular tool deosn't work on win2k/Xp. So >how can >i >>>calculate the return address on 2k/Xp platform?? Dissembling the >> >DLLs/EXEs >>>and searching them all for such instances is kinda hard to do. >>> So is there any way/tool which can give me the desired output >?? >>>Thank You Very Much >>>theeta. >>> >>> >> >>_________________________________________________________________ >>Add photos to your e-mail with MSN 8. Get 2 months FREE*. >>http://join.msn.com/?page=features/featuredemail >> >> > > Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
This archive was generated by hypermail 2b30 : Thu Aug 07 2003 - 16:38:09 PDT