Jump points

[hdm at metasploit.com (H D Moore)]

Could you narrow down the character set you are talking about? The address 
needs to pass isprint() macro? The viable address change depends on your 
target OS - anything using 2.6's va randomization has a chance of having 
printable rets, but nothing you can depend on. On my (gentoo) system:

$ cat /proc/self/maps
08048000-0804c000 r-xp 00000000 08:05 147170     [self]
0804c000-0804d000 rw-p 00003000 08:05 147170    [self]
0804d000-0806e000 rw-p 0804d000 00:00 0          [heap]
b7dc6000-b7dc7000 rw-p b7dc6000 00:00 0
b7dc7000-b7ed9000 r-xp 00000000 08:05 163561     /lib/libc-2.4.so
b7ed9000-b7edb000 r--p 00111000 08:05 163561     /lib/libc-2.4.so
b7edb000-b7edd000 rw-p 00113000 08:05 163561     /lib/libc-2.4.so
b7edd000-b7ee0000 rw-p b7edd000 00:00 0
b7efc000-b7efd000 rw-p b7efc000 00:00 0
b7efd000-b7f16000 r-xp 00000000 08:05 163541     /lib/ld-2.4.so
b7f16000-b7f17000 r--p 00018000 08:05 163541     /lib/ld-2.4.so
b7f17000-b7f18000 rw-p 00019000 08:05 163541     /lib/ld-2.4.so
bf901000-bf916000 rw-p bf901000 00:00 0          [stack]
ffffe000-fffff000 ---p 00000000 00:00 0          [vdso]

None of those address ranges would pass isprint(). Any chance you can 
cause the process to allocate a large chunk of memory and essentially 
create your own return? Here is an example of causing a perl to allocate 
512Mb of nops:

$ cat /proc/7962/maps
08048000-08134000 r-xp 00000000 08:07 675771     /usr/bin/perl5.8.8
08134000-0813e000 rw-p 000eb000 08:07 675771     /usr/bin/perl5.8.8
0813e000-08161000 rw-p 0813e000 00:00 0          [heap]
77d50000-b7d53000 rw-p 77d50000 00:00 0
[snip ]
ffffe000-fffff000 ---p 00000000 00:00 0          [vdso]

$ gdb -c 7962
0xffffe410 in ?? ()
(gdb) x/x 0x78787878
0x78787878:     0x90909090

-HD

On Wednesday 26 April 2006 10:33, jolmos at isecauditors.com wrote:
> The problem is the ret address, I have to look for jumps or calls at
> some printable adresses, does anybody found a printable universal
> address?