[12634] in bugtraq
Re: hardcoded windows exploits
daemon@ATHENA.MIT.EDU (Jeremy Kothe)
Wed Nov 17 23:35:25 1999
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-Id: <19991117221016.43808.qmail@hotmail.com>
Date: Wed, 17 Nov 1999 14:10:16 PST
Reply-To: Jeremy Kothe <paceflow@HOTMAIL.COM>
From: Jeremy Kothe <paceflow@HOTMAIL.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
>Well, IMO using such a routine is not necessary for something like a buffer
>overflow in a Ring3-Program under NT. In the win32 environment, all your
>applications that reside in the pageable memory pool (ALL User-Mode Apps)
>will always be loaded at a fixed base address. In that scenario, you can
>just as well use hard-coded addresses, namely those of the functions in the
>PE-Header of the exploited program.
This is fine IF the target .EXE or .DLL contains the functions you are
looking for, AND if you don't mind re-coding (or re-adjusting) the exploit
for each new overflow - with this method, you can write any exploit
algorithm you choose - use URLDownloadToCacheFileA or winsock as per your
preference, and it will work with ANY overflow situation.
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
