Re: win32 call dword ptr [eax] help needed
From: Gerardo Richarte (gera_at_corest.com)
Date: 09/10/03
- Previous message: Marc Maiffret: "EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II"
- In reply to: wirepair: "Re: win32 call dword ptr [eax] help needed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 10 Sep 2003 12:28:54 -0300 To: wirepair <wirepair@roguemail.net>
wirepair wrote:
> Thank you very very much for taking the time to respond. Unfortunately
> I have Zero C++ knowledge. I only code in C, and for the most part
> just *nix. I am kind of unsure as to how one would tell if this is in
> the heap or the stack. In Unix (linux anyways) it is very easy because
> the addresses are easily identifiable 0xbfffxxxx , stack ect.
Well... erm... to know if what I said will work, check the stack
after the call to
recv(). Better check if the data pointed to by EBP has been altered by
your bytes
or not. If it was altered, then you may probably do 4 in my previous
mail (use the
ret at the end of the function to jmp). If the data pointed to by EBP is
not changed,
increse the amount of bytes sent, if this doesn't work, then you'll
probably have to
think different, and as 3 (using the exception handler) didn't work,
then, you may
want to try either Dave's or James' idea.
Now, if you are going to use James' let me say something about it,
nothing really
serious, but it may help.
As James said, it may be a good idea to build an "Address Cushion",
but I think
it's not necesary to use a "Nops Cushion" or not even needed to
guess/bruteforce
two different addresses.
So, what can we do?
We can controll eax, and then use a call [eax+4]
We can put our buffer in memory, not in a fixed place.
Questions:
Can we put another buffer in memory using any other mean?
How much does the address of our bytes in memory vary?
What do we need?
We need to set eax to point to a pointer to our egg (delta +4)
Although we will probably need to use the same buffer to set eax and
to send our
addresses I will treat this two actions as different things, you'll have
to figure out how
put them together if needed... I don't think this will be a major
challenge :-)
Let's say I know the buffer will be at address 00001000, in this
case I could set eax to 1000
and make the buffer be:
xxxx|00001008|egg
so, [eax+4] is 1008 and the egg is at 1008 (as the buffer starts in 1000)
now, suppose the buffer may move around a little bit, lets say a max
of 0x20 bytes,
so I could make eax still be 1000, but make the buffer:
1024|1020|101c|1018|1014|1010|100c|1008|1004|egg
eax = 1000
buffer address [eax+4] egg address
1000 1020 1020
0ffc 101c 101c
etc
The key is: We set eax to a fixed value (1000), we don't really know
which of
the addresses we are going to hit, but we can compute the distance
between each
address and the egg, because we know the structure of the buffer. So,
for each
address we send in the buffer we think "If this address is in memory at
1000, what
would be the address of my egg?" and the answer to that question is what we
put in the buffer in the right place, as in the previous example.
What we do is send as many possible addresses and then our egg. This
will maximize
our chances of hitting one of the addresses. In this example I'm
assuming you know the
buffer will be aligned to 4 bytes, but you can usually assume that, or
pad with the right
number of bytes. If this is not your case you will need to try the
different alignments or
find another way.
Of course we may make eax vary on every try, changing it by the
number of addresses
we are sending times 4 [bytes].
With this we reduced the problem from having to bruteforce two
addresses, to having
to bruteforce just one, which is way better.
gera
- Previous message: Marc Maiffret: "EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II"
- In reply to: wirepair: "Re: win32 call dword ptr [eax] help needed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
