[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dailydave
Subject:    [Dailydave] about  0x7ffdf020 of  aspcode.c (now utf-8)
From:       "yuange" <yuange () nsfocus ! com>
Date:       2005-01-24 17:16:19
Message-ID: 003901c50238$6e7da7c0$0407a8c0 () windows
[Download RAW message or body]

About  aspcode.c   http://packetstormsecurity.nl/0209-exploits/aspcode.c


1.the book <<The Shellcoder's Handbook>>  page  143:

A better strategy is to set the PEB lock to RtlEnterCriticalSection,as
follows:
       k=0x7ffdf020;
       *(int *)k=RtlEnterCriticalSectionadd;



2.http://cert.uni-stuttgart.de/archive/vuln-dev/2003/06/msg00095.html:

  Well, Halvar uses the PEB technique to find kernel32.dll and related
infoz. Check out http://packetstormsecurity.nl/0209-exploits/aspcode.c for
an exploit in typical Chinese style using the SEH technique. Note how the
exploit's shellcode is about three pages of C code, which gets compiled by
Visual Studio into shellcode.

I'm still trying to figure out what these two lines really do...
k=0x7ffdf020;
*(int *)k=RtlEnterCriticalSectionadd;
Something to do with thread locking, obviously, but what?

Dave Aitel
Immunity, Inc.
Hack like a pro, without all the Mountain Dew:
http://www.immunitysec.com/CANVAS/






 The aspcode.c is a heap buffer over exploit.

 Heap buffer over can write anything to anywhere:

 *p1=p2;
 *(p2+4)=p1;

 My code is p2+4=0x7ffdf020.You can see the code of aspcode.c:

 char
buff7[]="\x10\x00\x01\x02\x03\x04\x05\x06\x1c\xf0\xfd\x7f\x20\x21\x00\x01";
                                               0x7ffdf01c


 The shellcode must repair The Function Pointer,so you can see

   k=0x7ffdf020;
   *(int *)k=RtlEnterCriticalSectionadd;




[prev in list] [next in list] [prev in thread] [next in thread]