Re: static dll's for windows buffer overflows

From: foob@return0.net
Date: 09/24/01 

Date: Mon, 24 Sep 2001 11:30:53 +0000 (GMT)
From: <foob@return0.net>
To: Franklin DeMatto <franklin.lists@qDefense.com>
Subject: Re: static dll's for windows buffer overflows
Message-ID: <Pine.LNX.4.21.0109241124010.845-100000@node.return0.net>

> Windows buffer overflows almost always require knowledge of offsets in
> dll's. Even if rva is used, usually one offset is still known, to jmp to
> where the code is (e.g., let's say the shellcode is pointed to by eax, we
> need to know the offset of somewhere to jmp eax). Which dll's are the most
> static? For the jmp instruction, we can use any dll, as long as it has
> those bytes (i.e., we are not limited to kernel, user, and gdi). Which
> dll's are the best to use, and why?

Using dll's for the jmp's causes problems when different service packs are
encountered. I usually grab a list of all the dlls loaded by a process
(dumpbin, pex or msvc will do this), narrow down the to the ones
containing a usuable jmp/call instruction, and then pick the one with the
oldest date in the newest service pack. This way, the same dll will be
used in most (all?) earlier service packs.

Also, dll's with addresses that are ascii printable are good for filtered
buffer overflows - ie 0x77500000 (clbcatq.dll) == 'gP..' in internet
explorer 6.

Usually the choices are limited however.

- foob

Relevant Pages

  • Re: static dlls for windows buffer overflows
    ... static dll's for windows buffer overflows ... an overflow, and there is a useable jump point, if the overflow is there, so ... decent choice if you need to hit an os dll is often kernel32.dll, ... > used in most earlier service packs. ...
    (Vuln-Dev)
  • Re: Which assembler can handle the BIG stuff ?
    ... their right mind is going to make jmps to jmp tables to jmp to internal ... Now let's say you have a DLL with a function called SOME_FUNCTIONat ... to know where offset 0h is in memory, ... Now everyone and their dog knows that an EXE file is loaded at 400000h ...
    (alt.lang.asm)
  • Re: using XS for calling exported methods from a DLL
    ... >Is there a way to call exported methods from a DLL without using win32::API. ... static int ppdrv_read(pTHX_ U32 func_addr, int base, int offset) ...
    (perl.beginners)
  • static dlls for windows buffer overflows
    ... static dll's for windows buffer overflows ... Even if rva is used, usually one offset is still known, to jmp to ... need to know the offset of somewhere to jmp eax). ...
    (Vuln-Dev)
  • Re: InjCode.cpp
    ... >> to the InjCode thread we create in the target process, ... >> pointer to the sendmessgage function in process, ... > I'm no expert on this but the way it works is that each dll has a preferred ... This address is relative to the process (its an offset). ...
    (borland.public.delphi.nativeapi)