lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200712192334.07560.fdlist@digitaloffense.net>
Date: Wed, 19 Dec 2007 23:34:07 -0600
From: H D Moore <fdlist@...italoffense.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Windows XP SP2 - SP3 Compatible Return Addresses

<TLDR>
Use 0x71aa15cf for pop/pop/ret on WinXP SP2/SP3 English
</TLDR>

Download the mini-database here:
http://metasploit.com/users/hdm/tools/opcodes_xp_sp2_sp3.tar.gz

>>From the README:

This package contains a text listing of addresses which can be useful for
exploitation. Each subdirectory represents a type of return address and
each file within the subdirectory refers to a specific DLL.

These addresses should be valid on any Windows XP SP2 or Windows XP SP3
(release candidate) system using the English language.


To locate a return address, first determine which type of opcode you need.
If you are exploiting a SEH overwrite, then the "poppopret" files may be
the easiest route to reliable code execution. Once you know the type of
opcode you want, determine what DLLs are used by the target program. At
this point, you can just view the appropriate text file to obtain a list
of usable addresses. Examples below.


Exploiting a SEH overwrite in a program which uses Winsock2:

$ cat poppopret/ws2help.dll.txt
0x71aa1560 pop esi; pop ebp; retn 0x0008
0x71aa15cf pop edi; pop ebp; retn 0x0008

Using a "call eax" equivalent opcode in a program which uses OLE

$ cat eax/oleaut32.dll.txt
0x771613f2 call eax

-HD

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ