Re: Automatic discovery of shellcode address

[steve () uk intasys com]

On Mon, Mar 24, 2003 at 11:44:08PM +1000, Adam Gilmore wrote:

> Erm, correct me if I'm wrong, but the idea of placing your shellcode
> (prepended with x number of NOPs) and then filling the rest of your
> buffer with the address of the shellcode is a very old idea and very
> commonly used.

  That wasn't the part that I was considering as being novel.

  When I've coded things before I've spent most of my time determinig
 where the return address lies within the area I've overflowed.  (By
 doing a binary search of my 'XXXXXX's).

  I was thinking that by knowing the address of the buffer in the
 processes memory space this would reduce the number of trials down
 to four.  (To deal with alignment issues).

  If this isn't terribly different from how other people do things then
 I'm sorry for wasting folks time; I have personally found it useful
 for narrowing things down though.

> Also, I find an easier method to find the shellcode address is trial and
> error. i.e. gdb ./myprog, run `perl -e'print "A"x1000'` - wait for the
> segfault, take a look at esp/ebp then do a dump of say.. x/255xb.

  Yes that would work also.  (I have a love hate relationship with gdb,
 if only it had a memory search function!)

> Another interesting method is to use ptrace. Have a look at nslconf.c on
> packetstorm which uses this method to find the shellcode. Quite nifty.

  I tend to work in environments where ptrace is disabled, so I've never
 used that - thanks for the pointer though :)

Steve
---
www.steve.org.uk