Re: Some help With BOF Exploits Writing.

[<olafandjasper () hushmail com>]

DownBload-
  So you are saying that the return address will be the same on my local
machine as it is on a remote machine (for a particular application on
the same archatecture).  I have found that most time it is true.  Which
got me wondering how in the world do two differnet instances of the same
OS/arch come up with the same addresses??  Is it luck ? Any knowledge
here would be helpful?

  If you don't mind:  When you say "find the return address"; is that
the value in the esp/SP at the time when the actural vulnerable function
is called ?

Thanks,
Olaf

On Sat, 26 Jul 2003 05:39:18 -0700 DownBload <downbload () hotmail com>
wrote:
> In-Reply-To: <Law9-F5967EKRuYDlrj00009721 () hotmail com>
>
> Remote bof exploitation is little bit harder, because you can't
> just 
> do "movl %esp, %eax" for finding return address. In classic buffer
> >
> overflows, for remote exploits, try to install vuln. application
> on your 
> host and find return address. Then you can code exploit which will
> >
> probably work on same architecture, OS and application version as
> yours. 
> For remote (local also) exploits, you can use return address brute
> force 
> method.
> Remote format string exploits are much more hackers-friendly than
> classic 
> buffer overflows in return address finding. You can just pop stack
> with %x%
> x%x%x%x.
>
> DownBload / Illegal Instruction Labs <www.kamikaza.org>
>
>
> > The return address should be before your shellcode, inside the
> nop's.
> > [NNNNNNNNNSSSSSSSSSSSSSRET]    buffer stored on stack.
> > 5    1              2                    3     4
> > 0xFFFFA        0xFFFFD       0xFFFFE        grows upwards.
> >
> > 1. Bunch of nop instructions: 0x90, that do nothing, so execution
> goes to 
> > the right until your code
> >   is executed.
> >
> > 2. shellcode.
> >
> > 3. return address, which is calculated to point somewhere within
> the nop 
> > operations, this is calculated
> >   locally, by using the stack pointer esp. see 4.
> >
> > 4. Esp stack pointer points to the top of stack, which is usually
> here, 
> > unless there is other data
> >   on the stack, to calculate the address of the NOP's, you'd get
> the esp 
> > address and subtract
> >  an offset from it depending on the size of the data within the
> stack.
> > 5. Ebp, the current location inside the stack, so if anything gets
> pushed, 
> > it'll get pushed here and
> >   ebp will continue to shift to the left as more things are added
> to the 
> > stack.
> >
> > most unix code does this like this:
> > -----------------------------
> > get_esp()
> > {
> > __asm__("movl %esp, %eax");   puts the esp (current stack top)
> into eax. 
> Eax 
> > is the return value
> > }                                             of most function
> calls in C.
> > //calculate ret, using offset supplied by user.
> >
> > offset = atoi(argv[1]);               will crash if there was no
> input 
> > however. Should check first.
> > RET = get_esp() - offset;
> >
> > ----------------------------------
> >
> > [NNNNNNNNNNNNNSSSSSSSSSSSSSSSRET]
> > 10         20         30         40        50      60
> >
> > simple decimal example.
> >
> > /exploit 20
> >
> > RET = Getesp() - offset
> > RET =  60 - 20
> > RET = 40
> >
> > crash .. middle of shellcode
> >
> > /exploit 40
> >
> > RET = getesp() - offset
> > RET = 60 - 40
> > RET = 20
> >
> > Bingo, right in the nops, execution moves to the right until shellcode
> >
> > hits.. thats the basic way of
> > doing it anyway.
> >
> > Another method is by putting the shellcode, and alot more nops
> inside an 
> > environment variable, to
> > increase the size of the padding(NOPs) to increase chances of success
> and 
> > have less guesswork.
> >
> > Anyone want to add to this?
> >
> > And a question of my own, how does remote exploits accomplish this??
> Thats 
> > been on my mind for
> > quite some time.
> >
> > deepcode
> >
> > > From: "theetabond" <theetabond () rediffmail com>
> > > Reply-To: "theetabond" <theetabond () rediffmail com>
> > > To: pondermate () hotmail com
> > > Subject: Some help With BOF Exploits Writing.
> > > Date: 25 Jul 2003 06:56:15 -0000
> > >
> > > Hi there DeepCode,
> > >                   I've been reading u'r recent posts on Vul-Dev,
> and 
> they 
> > > were very informative and useful for me. I had some questions
> in my mind 
> > > regarding writing buffer overflows on Win32 platform, and i hope
> may be 
> you 
> > > cud help me with that.
> > > I had written some exploits ( stack overflow ) for win98 successfully.
> But 
> > > now i want to do the same thing at win2k/winxp platforms. My problem
> in 
> > > this is - in calculating the return address which u write over
> the 
> previous 
> > > RET instruction. On win98 i had a util called getcode.exe , which
> will 
> scan 
> > > the memory and list out the jmp eax, ret eax, call eax, call ebx
> and 
> > > similar useful addresses which u can use to write at return addresses.
> >
> > > Unfortunately this particular tool deosn't work on win2k/Xp. So
> how can 
> i 
> > > calculate the return address on 2k/Xp platform?? Dissembling the
> DLLs/EXEs 
> > > and searching them all for such instances is kinda hard to do.
> > >  So is there any way/tool which can give me the desired output
> ??
> > > Thank You Very Much
> > > theeta.
> >
> > _________________________________________________________________
> > Add photos to your e-mail with MSN 8. Get 2 months FREE*.  
> > http://join.msn.com/?page=features/featuredemail



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427