Dailydave mailing list archives
Fwd: RE: Shellcode
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Wed, 30 Nov 2005 11:27:15 -0600
---------- Forwarded Message ---------- Subject: RE: [Dailydave] Shellcode Date: Wednesday 30 November 2005 11:24 From: "Dave Korn" <dave.korn () artimi com> To: "'H D Moore'" <hdm () metasploit com> H D Moore wrote:
Is there a better way to find the ECB than just scanning the stack for pointers that can be identified as GetServerVariable? -HD
Not that I found. But then again, I didn't look! If we hadn't just overflowed the stack and trashed (up to and including) the return address, I suppose we could unwind by following [ebp] until we reached the frame for HttpExtensionProc and grab it from there. If we didn't know how many frames down the stack we were, it would even be possible to detect that frame by comparing the return addresses as we went past them and look for a sudden discontinuity between return addresses that would mark the transfer of control from the .exe to the .dll. Alternatively we could write a SEH-protected codeblock that scans memory looking for the pair of known DWORDS (cbSize, dwVersion) at the start of every ECB; we'd need to have some mechanism for knowing which was the correct one when we got there, which we could do perhaps by sending some expected data down the socket after the sploit that could be read and recognized by calling ECB->WriteClient, or if we wanted to be really clever about it we could add a custom X- header to the initial HTTP request and use ECB->GetServerVariable to look for the correct ECB without disturbing the other ones. Those are just off the top of my head. It's been quite a while since I last looked at this stuff! cheers, DaveK -- Can't think of a witty .sigline today.... -------------------------------------------------------
Current thread:
- Re: Shellcode, (continued)
- Re: Shellcode Isaac Dawson (Nov 29)
- Re: Shellcode Dave Aitel (Nov 29)
- Re: Shellcode H D Moore (Nov 29)
- Re: Shellcode halvar (Nov 30)
- RE: Shellcode Dafydd Stuttard (Nov 30)
- Re: Shellcode halvar (Nov 30)
- Re: HOLY GOD WE ARE SO OLD Matt Hargett (Nov 30)
- Re: Shellcode Isaac Dawson (Nov 29)
- Re: Shellcode halvar (Nov 30)
- Re: Shellcode Dustin D. Trammell (Nov 30)
- RE: Shellcode Dave Korn (Nov 30)