Vulnerability Development mailing list archives
Re: Some help With BOF Exploits Writing.
From: <olafandjasper () hushmail com>
Date: Thu, 7 Aug 2003 06:47:32 -0700
DownBload- So you are saying that the return address will be the same on my local machine as it is on a remote machine (for a particular application on the same archatecture). I have found that most time it is true. Which got me wondering how in the world do two differnet instances of the same OS/arch come up with the same addresses?? Is it luck ? Any knowledge here would be helpful? If you don't mind: When you say "find the return address"; is that the value in the esp/SP at the time when the actural vulnerable function is called ? Thanks, Olaf On Sat, 26 Jul 2003 05:39:18 -0700 DownBload <downbload () hotmail com> wrote:
In-Reply-To: <Law9-F5967EKRuYDlrj00009721 () hotmail com> Remote bof exploitation is little bit harder, because you can't just do "movl %esp, %eax" for finding return address. In classic bufferoverflows, for remote exploits, try to install vuln. application on your host and find return address. Then you can code exploit which willprobably work on same architecture, OS and application version as yours. For remote (local also) exploits, you can use return address brute force method. Remote format string exploits are much more hackers-friendly than classic buffer overflows in return address finding. You can just pop stack with %x% x%x%x%x. DownBload / Illegal Instruction Labs <www.kamikaza.org>The return address should be before your shellcode, inside thenop's.[NNNNNNNNNSSSSSSSSSSSSSRET] buffer stored on stack. 5 1 2 3 4 0xFFFFA 0xFFFFD 0xFFFFE grows upwards. 1. Bunch of nop instructions: 0x90, that do nothing, so executiongoes tothe right until your code is executed. 2. shellcode. 3. return address, which is calculated to point somewhere withinthe nopoperations, this is calculated locally, by using the stack pointer esp. see 4. 4. Esp stack pointer points to the top of stack, which is usuallyhere,unless there is other data on the stack, to calculate the address of the NOP's, you'd getthe espaddress and subtract an offset from it depending on the size of the data within thestack.5. Ebp, the current location inside the stack, so if anything getspushed,it'll get pushed here and ebp will continue to shift to the left as more things are addedto thestack. most unix code does this like this: ----------------------------- get_esp() { __asm__("movl %esp, %eax"); puts the esp (current stack top)into eax. Eaxis the return value } of most functioncalls in C.//calculate ret, using offset supplied by user. offset = atoi(argv[1]); will crash if there was noinputhowever. Should check first. RET = get_esp() - offset; ---------------------------------- [NNNNNNNNNNNNNSSSSSSSSSSSSSSSRET] 10 20 30 40 50 60 simple decimal example. /exploit 20 RET = Getesp() - offset RET = 60 - 20 RET = 40 crash .. middle of shellcode /exploit 40 RET = getesp() - offset RET = 60 - 40 RET = 20 Bingo, right in the nops, execution moves to the right until shellcode hits.. thats the basic way of doing it anyway. Another method is by putting the shellcode, and alot more nopsinside anenvironment variable, to increase the size of the padding(NOPs) to increase chances of successandhave less guesswork. Anyone want to add to this? And a question of my own, how does remote exploits accomplish this??Thatsbeen on my mind for quite some time. deepcodeFrom: "theetabond" <theetabond () rediffmail com> Reply-To: "theetabond" <theetabond () rediffmail com> To: pondermate () hotmail com Subject: Some help With BOF Exploits Writing. Date: 25 Jul 2003 06:56:15 -0000 Hi there DeepCode, I've been reading u'r recent posts on Vul-Dev,and theywere very informative and useful for me. I had some questionsin my mindregarding writing buffer overflows on Win32 platform, and i hopemay be youcud help me with that. I had written some exploits ( stack overflow ) for win98 successfully.Butnow i want to do the same thing at win2k/winxp platforms. My probleminthis is - in calculating the return address which u write overthe previousRET instruction. On win98 i had a util called getcode.exe , whichwill scanthe memory and list out the jmp eax, ret eax, call eax, call ebxandsimilar useful addresses which u can use to write at return addresses.Unfortunately this particular tool deosn't work on win2k/Xp. Sohow can icalculate the return address on 2k/Xp platform?? Dissembling theDLLs/EXEsand searching them all for such instances is kinda hard to do. So is there any way/tool which can give me the desired output??Thank You Very Much theeta._________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- Re: Some help With BOF Exploits Writing. olafandjasper (Aug 07)
- Re: Some help With BOF Exploits Writing. Rafael Anschau (Aug 07)
- <Possible follow-ups>
- Re: Some help With BOF Exploits Writing. xenophi1e (Aug 08)