Vulnerability Development mailing list archives
Re: static dll's for windows buffer overflows
From: "Enrique A. Compañ Gzz." <enrique () virtekweb net>
Date: Mon, 24 Sep 2001 07:51:28 -0500
The best way to handle functions is by looking it on the ITtable of the base executable. I've almost finished the new version of my shellcode, this one is ITable based, at a givem executable base addr (works perfectly with any Win32). I'm also working in a polymorphic engine to create alphanumeric shellcode using my very own encoding method... it works. I'll post my work when it's ready, I have too much work to do. You say that even if you use the rva (I think what you mean is IT or ET) an offset is requiered. Well yeah, that's true BUT you only need to know the base address of the executable, generally at 0400000h (most of the time), or for example, inetinfo prefered base = 01000000h. That's not a problem at all. Base addr's are constant. So if you totally wanna avoid even the base address, then you should do a big memory scan, and lookfor "MZ", and then scan the info from there and determine if it is the executable base address or the imported library you're looking for (actually I wrote a shell that does this). Static DLLs? Kernel32 is one to avoid. I've found shell32 to be static in almost all versions of Win 9x for a given "jmp" instruction... I don't know why but I found this to be true some time ago when I wrote an exploit for IE.It worked in Many Win95,98s and Me's. ----- Original Message ----- From: "Franklin DeMatto" <franklin.lists () qDefense com> To: <vuln-dev () securityfocus com> Sent: Sunday, September 23, 2001 11:35 PM Subject: static dll's for windows buffer overflows
Windows buffer overflows almost always require knowledge of offsets in dll's. Even if rva is used, usually one offset is still known, to jmp to where the code is (e.g., let's say the shellcode is pointed to by eax, we need to know the offset of somewhere to jmp eax). Which dll's are the
most
static? For the jmp instruction, we can use any dll, as long as it has those bytes (i.e., we are not limited to kernel, user, and gdi). Which dll's are the best to use, and why? (BTW, I would like to suggest that the term "buffer overflow" be replaced with the term "memory overwrite," as there are many forms besides buffer overflow, such as format string, malloc (0) mangling, etc. ) Franklin DeMatto Senior Analyst, qDefense Penetration Testing http://qDefense.com qDefense: Making Security Accessible
Current thread:
- static dll's for windows buffer overflows Franklin DeMatto (Sep 23)
- Re: static dll's for windows buffer overflows Enrique A. Compañ Gzz. (Sep 24)
- Re: static dll's for windows buffer overflows foob (Sep 24)
- Re: static dll's for windows buffer overflows Ryan Permeh (Sep 24)
- Re: static dll's for windows buffer overflows dullien (Sep 24)