Vulnerability Development mailing list archives
Re: GetPC code (was: Shellcode from ASCII)
From: noir <noir () gsu linux org tr>
Date: Fri, 27 Jun 2003 23:22:15 +0300 (EEST)
"""
First thoughts on the second challenge: You can't use any of the call opcodes, but you might be able to setup a quick exception handler in the known mapped space. Cause a fault, and then find the address of your fault causing instruction in the structure that's passed. (Again I'm talking NT).
I'm not sure this could be done (same problem) but, keep this in mind anyway :- ) [hint] gera """ i have spend good 20 minutes on this, i don't have the solution yet due to lack of time but i thought this might be interesting for the list. basicly, i'm simulating a floating point exception (division by zero) and then grabbing the EIP(pc) from the exception record. PC is the location of the fdivs instruction since that instruction created the exception condition so we add 11 on top to make %eax point to the nop instruction. (ATT syntax) xor %eax, %eax push %eax fdivs (%esp) fnstenv (%esp) mov 0xc(%esp), %eax add $0xd, %eax nop - noir sup mate ? ;)
Current thread:
- Re: GetPC code (was: Shellcode from ASCII) noir (Jun 27)