Dailydave mailing list archives
about 0x7ffdf020 of aspcode.c
From: "yuange" <yuange () nsfocus com>
Date: Tue, 25 Jan 2005 00:54:36 +0800
About aspcode.c http://packetstormsecurity.nl/0209-exploits/aspcode.c 1.the book <<The Shellcoder's Handbook>> page 143: A better strategy is to set the PEB lock to RtlEnterCriticalSection,as follows: k=0x7ffdf020; *(int *)k=RtlEnterCriticalSectionadd; 2.http://cert.uni-stuttgart.de/archive/vuln-dev/2003/06/msg00095.html: Well, Halvar uses the PEB technique to find kernel32.dll and related infoz. Check out http://packetstormsecurity.nl/0209-exploits/aspcode.c for an exploit in typical Chinese style using the SEH technique. Note how the exploit's shellcode is about three pages of C code, which gets compiled by Visual Studio into shellcode. I'm still trying to figure out what these two lines really do... k=0x7ffdf020; *(int *)k=RtlEnterCriticalSectionadd; Something to do with thread locking, obviously, but what? Dave Aitel Immunity, Inc. Hack like a pro, without all the Mountain Dew: http://www.immunitysec.com/CANVAS/ The aspcode.c is a heap buffer over exploit. Heap buffer over can write anything to anywhere: *p1=p2; *(p2+4)=p1; My code is p2+4=0x7ffdf020.You can see the code of aspcode.c: char buff7[]="\x10\x00\x01\x02\x03\x04\x05\x06\x1c\xf0\xfd\x7f\x20\x21\x00\x01"; 0x7ffdf01c The shellcode must repair The Function Pointer,so you can see k=0x7ffdf020; *(int *)k=RtlEnterCriticalSectionadd;
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- about 0x7ffdf020 of aspcode.c yuange (Jan 24)