Vulnerability Development mailing list archives

Re: static dll's for windows buffer overflows

From: "Enrique A. Compañ Gzz." <enrique () virtekweb net>
Date: Mon, 24 Sep 2001 07:51:28 -0500

The best way to handle functions is by looking it on the ITtable of the base
executable.

I've almost finished the new version of my shellcode, this one is ITable
based, at a givem
executable base addr (works perfectly with any Win32). I'm also working in a
polymorphic
engine to create alphanumeric shellcode using my very own encoding method...
it works.
I'll post my work when it's ready, I have too much work to do.

You say that even if you use the rva (I think what you mean is IT or ET) an
offset is requiered.
Well yeah, that's true BUT you only need to know the base address of the
executable,
generally at 0400000h (most of the time), or for example, inetinfo prefered
base = 01000000h. That's not a problem at all. Base addr's are constant.

So if you totally wanna avoid even the base address, then you should do a
big memory scan, and lookfor "MZ", and then scan the info from there and
determine if it is the executable base address
or the imported library you're looking for (actually I wrote a shell that
does this).

Static DLLs? Kernel32 is one to avoid. I've found shell32 to be static in
almost all versions
of Win 9x for a given "jmp" instruction... I don't know why but I found this
to be true some
time ago when I wrote an exploit for IE.It worked in Many Win95,98s and
Me's.

----- Original Message -----
From: "Franklin DeMatto" <franklin.lists () qDefense com>
To: <vuln-dev () securityfocus com>
Sent: Sunday, September 23, 2001 11:35 PM
Subject: static dll's for windows buffer overflows

Windows buffer overflows almost always require knowledge of offsets in
dll's.  Even if rva is used, usually one offset is still known, to jmp to
where the code is (e.g., let's say the shellcode is pointed to by eax, we
need to know the offset of somewhere to jmp eax).  Which dll's are the

most

static?  For the jmp instruction, we can use any dll, as long as it has
those bytes (i.e., we are not limited to kernel, user, and gdi).  Which
dll's are the best to use, and why?


(BTW, I would like to suggest that the term "buffer overflow" be replaced
with the term "memory overwrite," as there are many forms besides buffer
overflow, such as format string, malloc (0) mangling, etc. )


Franklin DeMatto
Senior  Analyst, qDefense Penetration Testing
http://qDefense.com
qDefense: Making Security Accessible

Current thread:

static dll's for windows buffer overflows Franklin DeMatto (Sep 23)
- Re: static dll's for windows buffer overflows Enrique A. Compañ Gzz. (Sep 24)
- Re: static dll's for windows buffer overflows foob (Sep 24)
  - Re: static dll's for windows buffer overflows Ryan Permeh (Sep 24)
- Re: static dll's for windows buffer overflows dullien (Sep 24)