Re: Environment use to inject shellcode

[Daniele Endlesstars <endlesstars () gmail com>]

I've been asked to describe the procedure a little more in details.
It mainly involves crafting a long series of null terminated nopsled.
The limit for each is 128kB, and the limit for the whole stack is
around 2MB so you can put 16 strings of a little less than 128kB. If
you craft them directly and uses execve() you don't need to have the =
in the name and you can have also share the name for several variables
(in the case the name is just nops).
To skip the null byte between the nopsleds i inserted a small near
jump (2 bytes) at the end of every string, except the last one where i
put the shellcode. This result that no matter where you land it will
go down the stack until it finds the code.
Wikipedia (http://en.wikipedia.org/wiki/Address_space_layout_randomization)
tells me linux places the stack base in an area 8 MB wid, so with a
2MB nopsled you have a 1 out of 4 chance to hit the useful code, that
is 16 more time than using a single environment variable.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------