Fwd: RE: Shellcode

[H D Moore <hdm-daily-dave () digitaloffense net>]

----------  Forwarded Message  ----------

Subject: RE: [Dailydave] Shellcode
Date: Wednesday 30 November 2005 11:24
From: "Dave Korn" <dave.korn () artimi com>
To: "'H D Moore'" <hdm () metasploit com>

H D Moore wrote:
> Is there a better way to find the ECB than just scanning the stack for
> pointers that can be identified as GetServerVariable?
>
> -HD

  Not that I found.  But then again, I didn't look!

  If we hadn't just overflowed the stack and trashed (up to and
 including) the return address, I suppose we could unwind by following
 [ebp] until we reached the frame for HttpExtensionProc and grab it from
 there.  If we didn't know how many frames down the stack we were, it
 would even be possible to detect that frame by comparing the return
 addresses as we went past them and look for a sudden discontinuity
 between return addresses that would mark the transfer of control from
 the .exe to the .dll.

  Alternatively we could write a SEH-protected codeblock that scans
 memory looking for the pair of known DWORDS (cbSize, dwVersion) at the
 start of every ECB; we'd need to have some mechanism for knowing which
 was the correct one when we got there, which we could do perhaps by
 sending some expected data down the socket after the sploit that could
 be read and recognized by calling ECB->WriteClient, or if we wanted to
 be really clever about it we could add a custom X- header to the initial
 HTTP request and use ECB->GetServerVariable to look for the correct ECB
 without disturbing the other ones.

  Those are just off the top of my head.  It's been quite a while since I
 last looked at this stuff!

    cheers,
      DaveK
--
Can't think of a witty .sigline today....

-------------------------------------------------------