From: Jeremy Kothe [paceflow@HOTMAIL.COM] Sent: Tuesday, November 16, 1999 5:01 PM To: BUGTRAQ@SECURITYFOCUS.COM Subject: hard-coded windows exploits Just a general note concerning Windows overflows - most (if not all) of the publicly available exploits I have seen floating around are still using hard-coded addresses for system calls. I thought people might want to know that it is possible (and, indeed quite easy) to get the addresses of system functions in a system independant way. The technique is simple - all windows processes are launched (called) from Kernel32.dll originally, so at the TOP of the stack (give or take a DWORD, depending on launch environment) there is a pointer to code inside kernel32.dll. Given that the top of the stack is stored at fs:4, it is easy to scan from the top of the stack, looking for kernel32.dll's pe header. Using an SEH block to skip over incorrect addresses on the stack, we can locate and lookup whatever functions we want from Kernel32 (and from there to any other .dll) Using checksums of function names instead of the actual names, and an optimized GetProcAddress routine, results in generic code of about 200 bytes which can locate kernel32 and get the addressses of any functions, completely irrespective of the version of Windows. Note that most overflows will still require an initial hard-coded address to overwrite the stack return or the heap with, but there is no need for hard-coded function calls. Is this the only way to do this? Note that this method has been around for a while, but I haven't seen any public releases of it. If anyone knows of any other ways.... Jeremy Kothe Hi to any aussies (expats or otherwise) out there - even if you are from Queensland ;. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com