Re: Can't Preventing exploitation with rebasing

• Previous message: Mandrake Linux Security Team: "MDKSA-2003:014 - Updated kernel packages fix a number of bugs"
• In reply to: Alan DeKok: "Re: Preventing exploitation with rebasing"
• Next in thread: Nicholas Weaver: "Observation on randomization/rebiasing..."
• Reply: Nicholas Weaver: "Observation on randomization/rebiasing..."
• Reply: dullien@gmx.de: "Re[2]: Can't Preventing exploitation with rebasing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 5 Feb 2003 04:06:45 -0600 (CST)
From: <bugtraq@gaza.halo.nu>
To: Alan DeKok <aland@freeradius.org>

All difficulties posed by such a "rebasing" technique can be conquered.
The only difficulty it presents is getting back to your shellcode. This
can be overcome easily unless you're remapping kernel memory as well.
The kernel holds secrets to finding loadlibrary and getprocaddress, and a
jmp esp which is all you need to make your shellcode dance.

DIGRESSION:
        Dave Litchfield says you can call esp. I don't know Dave's
        relationships with his registers but this doesn't work if I want
        to get my eip on top of my shellcode. Always starts executing a
        memory address for me. Maybe if I took esp out to dinner more
        often then I could call it instead of having to jump on top of it.
        Dave, any suggestions for the wine list?
END DIGRESSION.

There's no silver bullet for security. Security is in a fluid state
always, and will always be so.

-Jove

> Brian Hatch <bugtraq@ifokr.org> wrote:
> > People keep saying "but it won't stop everything", and that's true.

> This takes the security versus obscurity argument from the realm of
> personal opinion to one of quantitative statements. We should have a
> similar goal for this discussion.

• Next message: David Litchfield: "Re: Preventing exploitation with rebasing"
• Previous message: Mandrake Linux Security Team: "MDKSA-2003:014 - Updated kernel packages fix a number of bugs"
• In reply to: Alan DeKok: "Re: Preventing exploitation with rebasing"
• Next in thread: Nicholas Weaver: "Observation on randomization/rebiasing..."
• Reply: Nicholas Weaver: "Observation on randomization/rebiasing..."
• Reply: dullien@gmx.de: "Re[2]: Can't Preventing exploitation with rebasing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Shellcode itself segfaults ... Randomization, so returning to shellcode, could be a problem in the ... it's a perfectly correct memory layout and the next "int 80" calls ... Concerned about Web Application Security? ... Download FREE whitepaper on how a managed service can ... (Pen-Test) [EXPL] Ethereal IGAP Dissector Message Overflow Exploit ... Get your security news from a reliable source. ... * for our shellcode, we used the technique of shellcode splitting. ... #define MAX_BUFF sizeof+sizeof(struct ipheader) ... (Securiteam) Re: [Full-disclosure] Beware trojaned exploits! ... something online where u put the shellcode and them u see the "action" ... > to legitimate trusted information sites for public downloads. ... > unl0ck security research ... > evil_builder(unsigned int retaddr, unsigned int offset, unsigned ... (Full-Disclosure) [NT] Format String and Buffer Overflow in the IRC Client of Trillian ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... INVITE Format String Vulnerability: ... user and store the shellcode there. ... DCC Chat Buffer Overflow: ... (Securiteam) Re: [Full-Disclosure] Remote Mercury32 Imap exploit ... I do believe script kiddies generate revenue for most security ... > really hard part is to write shellcode. ... (Full-Disclosure)