Bugtraq mailing list archives
Re: hard-coded windows exploits
From: dullien () GMX DE (Thomas Dullien)
Date: Wed, 17 Nov 1999 20:22:25 +0100
On Tue, 16 Nov 1999 14:00:31 PST, Jeremy Kothe wrote:
Using checksums of function names instead of the actual names, and an optimized GetProcAddress routine, results in generic code of about 200 bytes which can locate kernel32 and get the addressses of any functions, completely irrespective of the version of Windows.
Well, IMO using such a routine is not necessary for something like a buffer overflow in a Ring3-Program under NT. In the win32 environment, all your applications that reside in the pageable memory pool (ALL User-Mode Apps) will always be loaded at a fixed base address. In that scenario, you can just as well use hard-coded addresses, namely those of the functions in the PE-Header of the exploited program. The only exceptions to this are DLLs, which are sometimes (only in case of a collision with already loaded DLLs) relocated, and R0 device drivers (which are always relocated due to the nature of the nonpaged pool in NT). So, all in all, if I am going to overflow a simple NT Server there's no need for me to actually go to the pain of coding my own GetProcAddress routine, I know the program I am trying to overflow and can use hard coded values in my header files for the assembler. (This is different than from a virus programmers perspective, in that case your proposal would be quite in place) On the other hand of course, if I am attacking either a DLL or a driver (drivers are especially interesting ;) I would need to follow your layout. Thomas Dullien dullien () gmx de Win32 Security Consultant ;-> Hire me !
Current thread:
- Re: hard-coded windows exploits Thomas Dullien (Nov 17)
- <Possible follow-ups>
- Re: hard-coded windows exploits Gerardo Richarte (Nov 17)
- Re: hard-coded windows exploits Simple Nomad (Nov 17)
- Re: hard-coded windows exploits dark spyrit (Nov 17)