| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Dec 2007 23:34:07 -0600 From: H D Moore <fdlist@...italoffense.net> To: full-disclosure@...ts.grok.org.uk Subject: Windows XP SP2 - SP3 Compatible Return Addresses <TLDR> Use 0x71aa15cf for pop/pop/ret on WinXP SP2/SP3 English </TLDR> Download the mini-database here: http://metasploit.com/users/hdm/tools/opcodes_xp_sp2_sp3.tar.gz >>From the README: This package contains a text listing of addresses which can be useful for exploitation. Each subdirectory represents a type of return address and each file within the subdirectory refers to a specific DLL. These addresses should be valid on any Windows XP SP2 or Windows XP SP3 (release candidate) system using the English language. To locate a return address, first determine which type of opcode you need. If you are exploiting a SEH overwrite, then the "poppopret" files may be the easiest route to reliable code execution. Once you know the type of opcode you want, determine what DLLs are used by the target program. At this point, you can just view the appropriate text file to obtain a list of usable addresses. Examples below. Exploiting a SEH overwrite in a program which uses Winsock2: $ cat poppopret/ws2help.dll.txt 0x71aa1560 pop esi; pop ebp; retn 0x0008 0x71aa15cf pop edi; pop ebp; retn 0x0008 Using a "call eax" equivalent opcode in a program which uses OLE $ cat eax/oleaut32.dll.txt 0x771613f2 call eax -HD _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists