|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: hard-coded windows exploits
Peter Gutmann (pgut001
CS.AUCKLAND.AC.NZ)
Tue, 23 Nov 1999 09:27:55 -0500
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: dark spyrit: "Re: hard-coded windows exploits"
- Previous message: Ussr Labs: "Remote D.o.S Attack in ZetaMail 2.1 Mail POP3/SMTP Server Vulnerability"
- Next in thread: Jeremy Collake: "Re: hard-coded windows exploits"
- Reply: Jeremy Collake: "Re: hard-coded windows exploits"
Jeremy Collake <collakeCHARTER.NET> writes:
>The only other feasible way to avoid the use of static API addresses is to
>assume that the exploited application has imported GetProcAddress/
>LoadLibrary or the APIs one is wanting to use, and traverse the host's
>import table to find the addresses.
When I was playing with hostile thread injection about 2 years ago I found
that kernel32.dll always seemed to be mapped into a processes address space
at the same location, and once you have that all you need to do is locate
GetProcAddress() to get everything else. Has anyone else found this?
(Disclaimer: I wasn't terribly motivated to do much with the code and never
tested it much, it could have been only on the test machine I
was using).
Peter.
- Next message: dark spyrit: "Re: hard-coded windows exploits"
- Previous message: Ussr Labs: "Remote D.o.S Attack in ZetaMail 2.1 Mail POP3/SMTP Server Vulnerability"
- Next in thread: Jeremy Collake: "Re: hard-coded windows exploits"
- Reply: Jeremy Collake: "Re: hard-coded windows exploits"
This archive was generated by hypermail 2.0b3 on Tue Nov 23 1999 - 08:28:34 CST