static dll's for windows buffer overflows

From: Franklin DeMatto (franklin.lists@qDefense.com)
Date: 09/24/01 

Message-Id: <4.2.2.20010924003120.00aaa9d8@compumodel.com>
Date: Mon, 24 Sep 2001 00:35:55 -0400
To: vuln-dev@securityfocus.com
From: Franklin DeMatto <franklin.lists@qDefense.com>
Subject: static dll's for windows buffer overflows

Windows buffer overflows almost always require knowledge of offsets in
dll's. Even if rva is used, usually one offset is still known, to jmp to
where the code is (e.g., let's say the shellcode is pointed to by eax, we
need to know the offset of somewhere to jmp eax). Which dll's are the most
static? For the jmp instruction, we can use any dll, as long as it has
those bytes (i.e., we are not limited to kernel, user, and gdi). Which
dll's are the best to use, and why?

(BTW, I would like to suggest that the term "buffer overflow" be replaced
with the term "memory overwrite," as there are many forms besides buffer
overflow, such as format string, malloc (0) mangling, etc. )

Franklin DeMatto
Senior Analyst, qDefense Penetration Testing
http://qDefense.com
qDefense: Making Security Accessible

Relevant Pages

  • Re: static dlls for windows buffer overflows
    ... static dll's for windows buffer overflows ... Even if rva is used, usually one offset is still known, to jmp to ...
    (Vuln-Dev)
  • Re: static dlls for windows buffer overflows
    ... static dll's for windows buffer overflows ... Even if rva is used, usually one offset is still known, to jmp to ... For the jmp instruction, we can use any dll, as long as it has ... Using dll's for the jmp's causes problems when different service packs are ...
    (Vuln-Dev)
  • Re: Which assembler can handle the BIG stuff ?
    ... their right mind is going to make jmps to jmp tables to jmp to internal ... Now let's say you have a DLL with a function called SOME_FUNCTIONat ... to know where offset 0h is in memory, ... Now everyone and their dog knows that an EXE file is loaded at 400000h ...
    (alt.lang.asm)
  • Re: jmp absolute indirect r/m32 in x64??
    ... it says JMP r/m32 is not supported in 64 bit mode... ... FF/4 encoding with 0 offset from RIP ... emulator or debugger doesn't properly support 64-bits, ...
    (comp.lang.asm.x86)
  • Re: Which assembler can handle the BIG stuff ?
    ... >their right mind is going to make jmps to jmp tables to jmp to internal ... >Now let's say you have a DLL with a function called SOME_FUNCTIONat offset ... >to know where offset 0h is in memory, and then calculate the offset from there ... >Now everyone and their dog knows that an EXE file is loaded at 400000h ...
    (alt.lang.asm)