Re: Automatic discovery of shellcode address

On Mon, Mar 24, 2003 at 11:44:08PM +1000, Adam Gilmore wrote:

> Erm, correct me if I'm wrong, but the idea of placing your shellcode

  That wasn't the part that I was considering as being novel.

  When I've coded things before I've spent most of my time determinig  where the return address lies within the area I've overflowed. (By  doing a binary search of my 'XXXXXX's).

  I was thinking that by knowing the address of the buffer in the  processes memory space this would reduce the number of trials down  to four. (To deal with alignment issues).

  If this isn't terribly different from how other people do things then  I'm sorry for wasting folks time; I have personally found it useful  for narrowing things down though.

> Also, I find an easier method to find the shellcode address is trial and

  Yes that would work also. (I have a love hate relationship with gdb,  if only it had a memory search function!)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> Another interesting method is to use ptrace. Have a look at nslconf.c on

  I tend to work in environments where ptrace is disabled, so I've never  used that - thanks for the pointer though :)

Steve

---
www.steve.org.uk