Search

Navigation

User login

Tags in C, C++

C C# C++ Cfix Embedded VC++

Tags in Technical

.NET cfix ELATE NetXtreme IMAP Python SDLC SQL VB.NET

(Article) Managing startup items in windows

Submitted by guru on Mon, 2009-02-02 13:30

in

Article : Windows Shellcode Locations and Buffer Overflows

Introduction
This is not just another paper describing basics of buffer overflows. There are lots of publications about this topic, therefore it does not make any sense to describe it again. If you are familar with exploiting buffer overflows on Windows platform, do not think that this article has nothing to offer you. It shows some interesting methods, which can be used during writing an exploit (for example: where to put shellcode when stack is non-executable). Basic knowledge of x86 processors, Assembly and C languages and buffer overflows exploitation are required.

The ability to overflow a buffer on the stack, gives us the full control over the EIP register of x86 processor. Yep!!! This is great!!! We can load this register with every address we want, and then force a vulnerable program to jump there and to execute code that is at that address.

The problem occures when we want to execute the code, which WE want to be executed and not the code, which is actualy in the memory. To achive it, we have got to place OUR code in the memory of process we are attacking. This code is known as shellcode and it consists of a set of instructions for processor, additionaly encoded in their hex values.

In this paper I will discuss three possible locations in memory, where we can put our shellcode and than, how to force the vulnerable application to execute it. During this tutorial we will be using two shellcodes, of different size.

The first, written by me:
1. Loads user32.dll library to process memory
2. Calls MessageBoxA
3. Calls ExitProcess(0) to terminate process

The second, was generated in Metasploit Framework. It binds Windows shell (cmd.exe) to port 4444.

Three methods (possible locations in memory) I will describe are the following:
1. On the stack, behind the buffer that smashes the stack(so behind
the return address).
2. In buffer, which overflows buffer on the stack
3. In TEB block

[Read More..]

Courtesy:- Go4expert.com

guru's blog
Login or register to post comments

JOIN India JAVA User Group.
www.indijava.in

Recent blog posts

more

Tags in Data Structures

Algorithms Arrays Compiler Kernel Linked Lists Others Queues - FIFO Searching Sorting Stacks - LIFO