Metasploit mailing list archives
Jump points
From: hdm at metasploit.com (H D Moore)
Date: Wed, 26 Apr 2006 10:42:11 -0500
Could you narrow down the character set you are talking about? The address needs to pass isprint() macro? The viable address change depends on your target OS - anything using 2.6's va randomization has a chance of having printable rets, but nothing you can depend on. On my (gentoo) system: $ cat /proc/self/maps 08048000-0804c000 r-xp 00000000 08:05 147170 [self] 0804c000-0804d000 rw-p 00003000 08:05 147170 [self] 0804d000-0806e000 rw-p 0804d000 00:00 0 [heap] b7dc6000-b7dc7000 rw-p b7dc6000 00:00 0 b7dc7000-b7ed9000 r-xp 00000000 08:05 163561 /lib/libc-2.4.so b7ed9000-b7edb000 r--p 00111000 08:05 163561 /lib/libc-2.4.so b7edb000-b7edd000 rw-p 00113000 08:05 163561 /lib/libc-2.4.so b7edd000-b7ee0000 rw-p b7edd000 00:00 0 b7efc000-b7efd000 rw-p b7efc000 00:00 0 b7efd000-b7f16000 r-xp 00000000 08:05 163541 /lib/ld-2.4.so b7f16000-b7f17000 r--p 00018000 08:05 163541 /lib/ld-2.4.so b7f17000-b7f18000 rw-p 00019000 08:05 163541 /lib/ld-2.4.so bf901000-bf916000 rw-p bf901000 00:00 0 [stack] ffffe000-fffff000 ---p 00000000 00:00 0 [vdso] None of those address ranges would pass isprint(). Any chance you can cause the process to allocate a large chunk of memory and essentially create your own return? Here is an example of causing a perl to allocate 512Mb of nops: $ cat /proc/7962/maps 08048000-08134000 r-xp 00000000 08:07 675771 /usr/bin/perl5.8.8 08134000-0813e000 rw-p 000eb000 08:07 675771 /usr/bin/perl5.8.8 0813e000-08161000 rw-p 0813e000 00:00 0 [heap] 77d50000-b7d53000 rw-p 77d50000 00:00 0 [snip ] ffffe000-fffff000 ---p 00000000 00:00 0 [vdso] $ gdb -c 7962 0xffffe410 in ?? () (gdb) x/x 0x78787878 0x78787878: 0x90909090 -HD On Wednesday 26 April 2006 10:33, jolmos at isecauditors.com wrote:
The problem is the ret address, I have to look for jumps or calls at some printable adresses, does anybody found a printable universal address?
Current thread:
- cygwin and Metasploit conflict James E. Just (Apr 25)
- cygwin and Metasploit conflict H D Moore (Apr 25)
- Jump points jolmos at isecauditors.com (Apr 26)
- Jump points H D Moore (Apr 26)