Re: GetPC code (was: Shellcode from ASCII)

From: Gerardo Richarte (gera_at_corest.com)
Date: 06/30/03

  • Next message: Gerardo Richarte: "Re: GetPC code (was: Shellcode from ASCII)" 
    Date: Mon, 30 Jun 2003 11:11:50 -0300
To: vuln-dev@securityfocus.com

    Berend-Jan Wever wrote:

    > > PS: Of course, as halvar told me when I through this questions at
    > > him once: how did you jump to your code in the first place [if you
    > > don't know its address]. And well... he does have a strong point
    > > there... but heh, it's still a lot of fun to think about this small
    > > pieces of code, isn't it? :-)
    > Hmmm... isn't halvar forgetting nopslides and other brute-force attacks...?

       Well... nop slides are not a problem: if you have some approximation of
    where in memory the shellcode may be, you can always scan for it, and get
    the right address where it starts, but if you don't know where it is, you may
    make the process crash while scanning for the shellcode in memory... You
    could also change nops for inc %eax (or any other register), and then, if
    you knew the initial value for eax, you would know how many "nops" were
    executing before the first byte of the shellcode :-)
        On the other hand, there ARE some exploits where you don't know the
    address of the shellcode, mainly because the vulnerable program is putting
    it for you in the right place (wu-ftp's ~{, system V login's, and some ssh
    I remember could be done like this). On that cases you probably can't know
    the address of your shellcode... but still, there may be some other means of
    getting it (and not just mov %eip, %eax).

    > PS. hi gera, halvar ;)

        :-)

        gera

  • Next message: Gerardo Richarte: "Re: GetPC code (was: Shellcode from ASCII)"

    Relevant Pages

    • Re: [Full-disclosure] Mercur IMAPD 5.0 SP3 DoS Exploit or more?
      ... A common exploitation solutions is placing the rest of shellcode ... somewhere else on the memory. ... enough to simply recv() the rest of shellcode. ... overwriting saved EIP with recvaddress. ...
      (Full-Disclosure)
    • Re: DEFCON 16 and Hacking OpenVMS
      ... Therefore the code injected after the overflow executes some other ... Since there is no such thing as "shellcode" in VMS, ... area of memory to be executable and then branch to it. ... There sure is shellcode for OpenVMS, ...
      (comp.os.vms)
    • Re: Getting Base Address using the Structured Exception Handler
      ... But you can use SEH to search ... through all of memory in search of anything really. ... smaller than almost any other kind of robust Win32 shellcode (CANVAS's is ...
      (Vuln-Dev)
    • [TOOL] Windows Reverse Shellcode (under 300 Bytes, no spaces, no NULLs)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The following shellcode is a reverse shell shellcode for Windows. ... the script does fast JMP ESP search in memory for different DLLs ... DWORD FindESP(LPSTR startaddr, int dobreak) ...
      (Securiteam)
    • RE: Automatic discovery of shellcode address
      ... Erm, correct me if I'm wrong, but the idea of placing your shellcode ... buffer with the address of the shellcode is a very old idea and very ... If this is vulnerable you'd see something like "cannot access memory ... you're overflowing is, (in the case of sprintf, strcpy etc), you ...
      (Vuln-Dev)