[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200712192334.07560.fdlist@digitaloffense.net>
Date: Wed, 19 Dec 2007 23:34:07 -0600
From: H D Moore <fdlist@...italoffense.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Windows XP SP2 - SP3 Compatible Return Addresses
<TLDR>
Use 0x71aa15cf for pop/pop/ret on WinXP SP2/SP3 English
</TLDR>
Download the mini-database here:
http://metasploit.com/users/hdm/tools/opcodes_xp_sp2_sp3.tar.gz
>>From the README:
This package contains a text listing of addresses which can be useful for
exploitation. Each subdirectory represents a type of return address and
each file within the subdirectory refers to a specific DLL.
These addresses should be valid on any Windows XP SP2 or Windows XP SP3
(release candidate) system using the English language.
To locate a return address, first determine which type of opcode you need.
If you are exploiting a SEH overwrite, then the "poppopret" files may be
the easiest route to reliable code execution. Once you know the type of
opcode you want, determine what DLLs are used by the target program. At
this point, you can just view the appropriate text file to obtain a list
of usable addresses. Examples below.
Exploiting a SEH overwrite in a program which uses Winsock2:
$ cat poppopret/ws2help.dll.txt
0x71aa1560 pop esi; pop ebp; retn 0x0008
0x71aa15cf pop edi; pop ebp; retn 0x0008
Using a "call eax" equivalent opcode in a program which uses OLE
$ cat eax/oleaut32.dll.txt
0x771613f2 call eax
-HD
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists