Re: Some help With BOF Exploits Writing.

[". npguy" <npguy () linuxmail org>]

which one will you consider a better approach?

placing shellcode  before or after return addr?
 

----- Original Message -----
From: DownBload <downbload () hotmail com>
Date: 26 Jul 2003 12:39:18 -0000
To: vuln-dev () securityfocus com
Subject: Re: Some help With BOF Exploits Writing. 

> In-Reply-To: <Law9-F5967EKRuYDlrj00009721 () hotmail com>
>
> Remote bof exploitation is little bit harder, because you can't just 
> do "movl %esp, %eax" for finding return address. In classic buffer 
> overflows, for remote exploits, try to install vuln. application on your 
> host and find return address. Then you can code exploit which will 
> probably work on same architecture, OS and application version as yours. 
> For remote (local also) exploits, you can use return address brute force 
> method.
> Remote format string exploits are much more hackers-friendly than classic 
> buffer overflows in return address finding. You can just pop stack with %x%
> x%x%x%x.
>
> DownBload / Illegal Instruction Labs <www.kamikaza.org>
>
>
> > The return address should be before your shellcode, inside the nop's.
> >
> > [NNNNNNNNNSSSSSSSSSSSSSRET]    buffer stored on stack.
> > 5    1              2                    3     4
> > 0xFFFFA        0xFFFFD       0xFFFFE        grows upwards.
> >
> > 1. Bunch of nop instructions: 0x90, that do nothing, so execution goes to 
> > the right until your code
> >   is executed.
> >
> > 2. shellcode.
> >
> > 3. return address, which is calculated to point somewhere within the nop 
> > operations, this is calculated
> >   locally, by using the stack pointer esp. see 4.
> >
> > 4. Esp stack pointer points to the top of stack, which is usually here, 
> > unless there is other data
> >   on the stack, to calculate the address of the NOP's, you'd get the esp 
> > address and subtract
> >  an offset from it depending on the size of the data within the stack.
> >
> > 5. Ebp, the current location inside the stack, so if anything gets 
> pushed, 
> > it'll get pushed here and
> >   ebp will continue to shift to the left as more things are added to the 
> > stack.
> >
> > most unix code does this like this:
> > -----------------------------
> > get_esp()
> > {
> > __asm__("movl %esp, %eax");   puts the esp (current stack top) into eax. 
> Eax 
> > is the return value
> > }                                             of most function calls in C.
> >
> > //calculate ret, using offset supplied by user.
> >
> > offset = atoi(argv[1]);               will crash if there was no input 
> > however. Should check first.
> > RET = get_esp() - offset;
> >
> > ----------------------------------
> >
> > [NNNNNNNNNNNNNSSSSSSSSSSSSSSSRET]
> > 10         20         30         40        50      60
> >
> > simple decimal example.
> >
> > /exploit 20
> >
> > RET = Getesp() - offset
> > RET =  60 - 20
> > RET = 40
> >
> > crash .. middle of shellcode
> >
> > /exploit 40
> >
> > RET = getesp() - offset
> > RET = 60 - 40
> > RET = 20
> >
> > Bingo, right in the nops, execution moves to the right until shellcode 
> > hits.. thats the basic way of
> > doing it anyway.
> >
> > Another method is by putting the shellcode, and alot more nops inside an 
> > environment variable, to
> > increase the size of the padding(NOPs) to increase chances of success and 
> > have less guesswork.
> >
> > Anyone want to add to this?
> >
> > And a question of my own, how does remote exploits accomplish this?? 
> Thats 
> > been on my mind for
> > quite some time.
> >
> > deepcode
> >
> > > From: "theetabond" <theetabond () rediffmail com>
> > > Reply-To: "theetabond" <theetabond () rediffmail com>
> > > To: pondermate () hotmail com
> > > Subject: Some help With BOF Exploits Writing.
> > > Date: 25 Jul 2003 06:56:15 -0000
> > >
> > > Hi there DeepCode,
> > >                   I've been reading u'r recent posts on Vul-Dev, and 
> they 
> > > were very informative and useful for me. I had some questions in my mind 
> > > regarding writing buffer overflows on Win32 platform, and i hope may be 
> you 
> > > cud help me with that.
> > > I had written some exploits ( stack overflow ) for win98 successfully. 
> But 
> > > now i want to do the same thing at win2k/winxp platforms. My problem in 
> > > this is - in calculating the return address which u write over the 
> previous 
> > > RET instruction. On win98 i had a util called getcode.exe , which will 
> scan 
> > > the memory and list out the jmp eax, ret eax, call eax, call ebx and 
> > > similar useful addresses which u can use to write at return addresses. 
> > > Unfortunately this particular tool deosn't work on win2k/Xp. So how can 
> i 
> > > calculate the return address on 2k/Xp platform?? Dissembling the 
> DLLs/EXEs 
> > > and searching them all for such instances is kinda hard to do.
> > >  So is there any way/tool which can give me the desired output ??
> > > Thank You Very Much
> > > theeta.
> >
> > _________________________________________________________________
> > Add photos to your e-mail with MSN 8. Get 2 months FREE*.  
> > http://join.msn.com/?page=features/featuredemail

-- 
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr

Powered by Outblaze