Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

about 0x7ffdf020 of aspcode.c

From: "yuange" <yuange () nsfocus com>
Date: Tue, 25 Jan 2005 00:54:36 +0800


About  aspcode.c   http://packetstormsecurity.nl/0209-exploits/aspcode.c


1.the book <<The Shellcoder's Handbook>>  page  143:

A better strategy is to set the PEB lock to RtlEnterCriticalSection,as follows:
       k=0x7ffdf020;
       *(int *)k=RtlEnterCriticalSectionadd;
 


2.http://cert.uni-stuttgart.de/archive/vuln-dev/2003/06/msg00095.html:

  Well, Halvar uses the PEB technique to find kernel32.dll and related
infoz. Check out http://packetstormsecurity.nl/0209-exploits/aspcode.c for
an exploit in typical Chinese style using the SEH technique. Note how the
exploit's shellcode is about three pages of C code, which gets compiled by
Visual Studio into shellcode.

I'm still trying to figure out what these two lines really do...
 k=0x7ffdf020;
 *(int *)k=RtlEnterCriticalSectionadd;
Something to do with thread locking, obviously, but what?

Dave Aitel
Immunity, Inc.
Hack like a pro, without all the Mountain Dew:
http://www.immunitysec.com/CANVAS/






 The aspcode.c is a heap buffer over exploit. 

 Heap buffer over can write anything to anywhere:
 
 *p1=p2;
 *(p2+4)=p1;

 My code is p2+4=0x7ffdf020.You can see the code of aspcode.c:

 char buff7[]="\x10\x00\x01\x02\x03\x04\x05\x06\x1c\xf0\xfd\x7f\x20\x21\x00\x01";
                                               0x7ffdf01c


 The shellcode must repair The Function Pointer,so you can see
  
   k=0x7ffdf020;
   *(int *)k=RtlEnterCriticalSectionadd;



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: