[12633] in bugtraq
Re: hard-coded windows exploits
daemon@ATHENA.MIT.EDU (Thomas Dullien)
Wed Nov 17 23:34:53 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <19991117195950.14195.qmail@home1.gmx.net>
Date: Wed, 17 Nov 1999 20:22:25 +0100
Reply-To: Thomas Dullien <dullien@gmx.de>
From: Thomas Dullien <dullien@GMX.DE>
X-To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>,
Jeremy Kothe <paceflow@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
On Tue, 16 Nov 1999 14:00:31 PST, Jeremy Kothe wrote:
>Using checksums of function names instead of the actual names, and an
>optimized GetProcAddress routine, results in generic code of about 200 bytes
>which can locate kernel32 and get the addressses of any functions,
>completely irrespective of the version of Windows.
Well, IMO using such a routine is not necessary for something like a buffer
overflow in a Ring3-Program under NT. In the win32 environment, all your
applications that reside in the pageable memory pool (ALL User-Mode Apps)
will always be loaded at a fixed base address. In that scenario, you can
just as well use hard-coded addresses, namely those of the functions in the
PE-Header of the exploited program.
The only exceptions to this are DLLs, which are sometimes (only in case of
a collision with already loaded DLLs) relocated, and R0 device drivers (which
are always relocated due to the nature of the nonpaged pool in NT).
So, all in all, if I am going to overflow a simple NT Server there's no need for me to
actually go to the pain of coding my own GetProcAddress routine, I know the
program I am trying to overflow and can use hard coded values in my header
files for the assembler. (This is different than from a virus programmers
perspective, in that case your proposal would be quite in place)
On the other hand of course, if I am attacking either a DLL or a driver (drivers
are especially interesting ;) I would need to follow your layout.
Thomas Dullien
dullien@gmx.de
Win32 Security Consultant ;-> Hire me !
