Vulnerability Development mailing list archives
Re: GetPC code (was: Shellcode from ASCII)
From: Gerardo Richarte <gera () corest com>
Date: Thu, 26 Jun 2003 17:15:17 -0300
Roland Postle wrote:
B9 D0FEFD7F MOV ECX,7FFDFED0 8B01 MOV EAX,DWORD PTR DS:[ECX] C701 5B53C341 MOV DWORD PTR DS:[ECX],41C3535B E8 D8DFBD7F CALL 7FFDFED0 8901 MOV DWORD PTR DS:[ECX],EAX
Heh, nice solution, pretty similar to what we had once... as you
said, NT specific, but could be done in linux probably, using a fixed
address in the range 0x40xxxxxx... but then, the main problem is
that none of them will work (I'm sorry). The call 7ffdfed0 is relative
to your current location, so, either you already know your address,
or you can't do the call :-(
It's really a mind puzzle, really funny too
So... our real solution is not like this, but is also win specific.
First thoughts on the second challenge: You can't use any of the call opcodes, but you might be able to setup a quick exception handler in the known mapped space. Cause a fault, and then find the address of your fault causing instruction in the structure that's passed. (Again I'm talking NT).
I'm not sure this could be done (same problem) but, keep this in mind anyway :-) [hint]
gera
Current thread:
- Shellcode from ASCII martin rakhmanoff (Jun 25)
- Re: Shellcode from ASCII Berend-Jan Wever (Jun 25)
- Re: Shellcode from ASCII Jose Ronnick (Jun 26)
- GetPC code (was: Shellcode from ASCII) Gerardo Richarte (Jun 26)
- Re: GetPC code (was: Shellcode from ASCII) Roland Postle (Jun 26)
- Re: GetPC code (was: Shellcode from ASCII) Gerardo Richarte (Jun 26)
- Re: GetPC code (was: Shellcode from ASCII) Roland Postle (Jun 26)
- Re: GetPC code (was: Shellcode from ASCII) Berend-Jan Wever (Jun 27)
- Re: GetPC code (was: Shellcode from ASCII) Roland Postle (Jun 26)
- Re: Shellcode from ASCII Gerardo Richarte (Jun 26)
- Re: Shellcode from ASCII Berend-Jan Wever (Jun 25)