Vulnerability Development mailing list archives
Re: Automatic discovery of shellcode address
From: steve () uk intasys com
Date: Mon, 24 Mar 2003 19:32:59 +0000
On Mon, Mar 24, 2003 at 11:44:08PM +1000, Adam Gilmore wrote:
Erm, correct me if I'm wrong, but the idea of placing your shellcode (prepended with x number of NOPs) and then filling the rest of your buffer with the address of the shellcode is a very old idea and very commonly used.
That wasn't the part that I was considering as being novel. When I've coded things before I've spent most of my time determinig where the return address lies within the area I've overflowed. (By doing a binary search of my 'XXXXXX's). I was thinking that by knowing the address of the buffer in the processes memory space this would reduce the number of trials down to four. (To deal with alignment issues). If this isn't terribly different from how other people do things then I'm sorry for wasting folks time; I have personally found it useful for narrowing things down though.
Also, I find an easier method to find the shellcode address is trial and error. i.e. gdb ./myprog, run `perl -e'print "A"x1000'` - wait for the segfault, take a look at esp/ebp then do a dump of say.. x/255xb.
Yes that would work also. (I have a love hate relationship with gdb, if only it had a memory search function!)
Another interesting method is to use ptrace. Have a look at nslconf.c on packetstorm which uses this method to find the shellcode. Quite nifty.
I tend to work in environments where ptrace is disabled, so I've never used that - thanks for the pointer though :) Steve --- www.steve.org.uk
Current thread:
- Automatic discovery of shellcode address steve (Mar 23)
- RE: Automatic discovery of shellcode address Adam Gilmore (Mar 24)
- Re: Automatic discovery of shellcode address steve (Mar 24)
- Re: Automatic discovery of shellcode address Marco Ivaldi (Mar 24)
- Re: Automatic discovery of shellcode address steve (Mar 24)
- Re: Automatic discovery of shellcode address Joel Eriksson (Mar 28)
- RE: Automatic discovery of shellcode address Adam Gilmore (Mar 24)