Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness

[Dave Aitel <dave () immunitysec com>]

halvar () gmx de wrote:

> Readclient shellcode is the obvious way to go when doing ISAPI. The 
> retrieval
> of the connection ID is in most cases not a problem -- very few 
> ISAPI's I've seen
> overflow in a different thread than the one that went through 
> HttpExtensionProc.
> In that case, unless you're very unlucky, your ESP is still intact, 
> and unless you
> _really_ smashed the stack (e.g. memcpy(,,-1)) you will have no 
> problem retrieving
> the lpECB from [ESP+static_offset]. Remember that stack frame sizes 
> are constant
> for a given executable, and that you can just rely on a value you 
> figured out in your
> own debugger here. Of yourse, you have to adjust 1 offset in the 
> shellcode to make
> it work for different targets.
(The following note is stuff Halvar and a lot of people already know or 
find too obvious to mention, but not everyone does)

This is true in some cases, but not in others (heap overflows, even some 
stack overflows). A good ISAPIcode will handle those cases. It's nice to 
avoid that extra step, in any case. :>


-dave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave