Vulnerability Development mailing list archives
Re: static dll's for windows buffer overflows
From: "Oscar Batyrbaev" <batyr () ix netcom com>
Date: Sat, 10 Nov 2001 02:02:08 -0800
Hi Guys, On somewhat related topic: There are used to be some buffer overflow in the TCP/IP stack and ARP code (like teardrop, etc.). Are these type of or any other type of buffer overflows or other memory overwrites (malloc/free, etc) in the TCP/IP stack and ARP code exploitable in any meaningful way other than just an OS crash? Can an adversary say change routing tables, or execute some otherwise damaging code somehow? Is this really feasible also on BSD/Linux/Unix systems? Thanks in advance. ----- Original Message ----- From: "Ryan Permeh" <ryan () eEye com> To: <foob () return0 net>; "Franklin DeMatto" <franklin.lists () qDefense com> Cc: <vuln-dev () securityfocus com> Sent: Monday, September 24, 2001 8:19 AM Subject: Re: static dll's for windows buffer overflows
microsoft has offered a lot of help in this, by providing their dll
library
which tells which dll's were shipped with x sp or os version. check on msdn.microsoft.com. I tend to perfer looking for useable jump points in application provided code(provided dll's), preferably in the code you are overflowing. This seems to work best for me, because if the code contains an overflow, and there is a useable jump point, if the overflow is there,
so
is the jump point:) As far as i've seen, there is no "magic bullet" of jumppoints, a pretty decent choice if you need to hit an os dll is often kernel32.dll, or
msvcrt.
Another technique you may chose to use is to avoid application code altogether, and jump directly to the stack or the heap. Often, you don't know your specific addresses, but if size isn't an issue, a decent nop
sled
can compensate for slight deviations. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities ----- Original Message ----- From: <foob () return0 net> To: "Franklin DeMatto" <franklin.lists () qDefense com> Cc: <vuln-dev () securityfocus com> Sent: Monday, September 24, 2001 4:30 AM Subject: Re: static dll's for windows buffer overflowsWindows buffer overflows almost always require knowledge of offsets in dll's. Even if rva is used, usually one offset is still known, to jmptowhere the code is (e.g., let's say the shellcode is pointed to by eax,weneed to know the offset of somewhere to jmp eax). Which dll's are themoststatic? For the jmp instruction, we can use any dll, as long as it
has
those bytes (i.e., we are not limited to kernel, user, and gdi).
Which
dll's are the best to use, and why?Using dll's for the jmp's causes problems when different service packs
are
encountered. I usually grab a list of all the dlls loaded by a process (dumpbin, pex or msvc will do this), narrow down the to the ones containing a usuable jmp/call instruction, and then pick the one with
the
oldest date in the newest service pack. This way, the same dll will be used in most (all?) earlier service packs. Also, dll's with addresses that are ascii printable are good for
filtered
buffer overflows - ie 0x77500000 (clbcatq.dll) == 'gP..' in internet explorer 6. Usually the choices are limited however. - foob
Current thread:
- Re: static dll's for windows buffer overflows Oscar Batyrbaev (Nov 10)