Re: win32 call dword ptr [eax] help needed

[Gerardo Richarte <gera () corest com>]

wirepair wrote:

> Thank you very very much for taking the time to respond. Unfortunately 
> I have Zero C++ knowledge. I only code in C, and for the most part 
> just *nix. I am kind of unsure as to how one would tell if this is in 
> the heap or the stack. In Unix (linux anyways) it is very easy because 
> the addresses are easily identifiable 0xbfffxxxx , stack ect. 

   Well... erm... to know if what I said will work, check the stack 
after the call to
recv(). Better check if the data pointed to by EBP has been altered by 
your bytes
or not. If it was altered, then you may probably do 4 in my previous 
mail (use the
ret at the end of the function to jmp). If the data pointed to by EBP is 
not changed,
increse the amount of bytes sent, if this doesn't work, then you'll 
probably have to
think different, and as 3 (using the exception handler) didn't work, 
then, you may
want to try either Dave's or James' idea.
   Now, if you are going to use James' let me say something about it, 
nothing really
serious, but it may help.

   As James said, it may be a good idea to build an "Address Cushion", 
but I think
it's not necesary to use a "Nops Cushion" or not even needed to 
guess/bruteforce
two different addresses.

   So, what can we do?

   We can controll eax, and then use a call [eax+4]
   We can put our buffer in memory, not in a fixed place.

   Questions:

   Can we put another buffer in memory using any other mean?
   How much does the address of our bytes in memory vary?

   What do we need?
   We need to set eax to point to a pointer to our egg (delta +4)

   Although we will probably need to use the same buffer to set eax and 
to send our
addresses I will treat this two actions as different things, you'll have 
to figure out how
put them together if needed... I don't think this will be a major 
challenge :-)

   Let's say I know the buffer will be at address 00001000, in this 
case I could set eax to 1000
and make the buffer be:

   xxxx|00001008|egg

  so, [eax+4] is 1008 and the egg is at 1008 (as the buffer starts in 1000)

   now, suppose the buffer may move around a little bit, lets say a max 
of 0x20 bytes,
so I could make eax still be 1000, but make the buffer:

   1024|1020|101c|1018|1014|1010|100c|1008|1004|egg

   eax = 1000

   buffer address               [eax+4]               egg address
   1000                                  1020                    1020
   0ffc                                  101c                    101c
   etc

   The key is: We set eax to a fixed value (1000), we don't really know 
which of
the addresses we are going to hit, but we can compute the distance 
between each
address and the egg, because we know the structure of the buffer. So, 
for each
address we send in the buffer we think "If this address is in memory at 
1000, what
would be the address of my egg?" and the answer to that question is what we
put in the buffer in the right place, as in the previous example.

   What we do is send as many possible addresses and then our egg. This 
will maximize
our chances of hitting one of the addresses. In this example I'm 
assuming you know the
buffer will be aligned to 4 bytes, but you can usually assume that, or 
pad with the right
number of bytes. If this is not your case you will need to try the 
different alignments or
find another way.
   Of course we may make eax vary on every try, changing it by the 
number of addresses
we are sending times 4 [bytes].

   With this we reduced the problem from having to bruteforce two 
addresses, to having
to bruteforce just one, which is way better.

   gera