Re: static dll's for windows buffer overflows

[<foob () return0 net>]

> Windows buffer overflows almost always require knowledge of offsets in 
> dll's.  Even if rva is used, usually one offset is still known, to jmp to 
> where the code is (e.g., let's say the shellcode is pointed to by eax, we 
> need to know the offset of somewhere to jmp eax).  Which dll's are the most 
> static?  For the jmp instruction, we can use any dll, as long as it has 
> those bytes (i.e., we are not limited to kernel, user, and gdi).  Which 
> dll's are the best to use, and why?

Using dll's for the jmp's causes problems when different service packs are
encountered.  I usually grab a list of all the dlls loaded by a process
(dumpbin, pex or msvc will do this), narrow down the to the ones
containing a usuable jmp/call instruction, and then pick the one with the
oldest date in the newest service pack.  This way, the same dll will be
used in most (all?) earlier service packs.

Also, dll's with addresses that are ascii printable are good for filtered
buffer overflows - ie 0x77500000 (clbcatq.dll) == 'gP..' in internet
explorer 6.  

Usually the choices are limited however.

- foob