[12631] in bugtraq
Re: hard-coded windows exploits
daemon@ATHENA.MIT.EDU (Gerardo Richarte)
Wed Nov 17 22:50:07 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <383302A1.395DC902@core-sdi.com>
Date: Wed, 17 Nov 1999 16:25:15 -0300
Reply-To: Gerardo Richarte <core.lists.bugtraq@CORE-SDI.COM>
From: Gerardo Richarte <core.lists.bugtraq@CORE-SDI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Jeremy Kothe wrote:
>
> Just a general note concerning Windows overflows - most (if not all) of the
> publicly available exploits I have seen floating around are still using
> hard-coded addresses for system calls.
>
> Is this the only way to do this? Note that this method has been around for a
> while, but I haven't seen any public releases of it. If anyone knows of any
> other ways....
I don't think that this is the only way to do it, what about
using direct
system calls? you don't need addresses for that, just call INT 2e/2c/2b
with the
correct registers...
I can add to this, that it may be a little harder to do, but
anyway,
kernel32.dll calls INTs or calls ntdll.dll that uses INT 2e/2c/2b to
talk with NT's kernel, so everithing looks like possible with INTs.
richie
--
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com
--- For a personal reply use gera@core-sdi.com
