Vuln Dev
Re: GetPC code (was: Shellcode from ASCII) Jun 27 2003 08:22PM
noir (noir gsu linux org tr) (2 replies)
"""
> First thoughts on the second challenge: You can't use any of the call
> opcodes, but you might be able to setup a quick exception handler in
> the known mapped space. Cause a fault, and then find the address of
> your fault causing instruction in the structure that's passed. (Again
> I'm talking NT).

I'm not sure this could be done (same problem) but, keep this in mind
anyway :-
) [hint]

gera
"""

i have spend good 20 minutes on this, i don't have the solution yet due to
lack of time but i thought this might be interesting for the list.

basicly, i'm simulating a floating point exception (division by zero) and
then grabbing the EIP(pc) from the exception record. PC is the location of
the fdivs instruction since that instruction created the exception
condition so we add 11 on top to make %eax point to the nop instruction.
(ATT syntax)

xor %eax, %eax
push %eax
fdivs (%esp)
fnstenv (%esp)
mov 0xc(%esp), %eax
add $0xd, %eax
nop

- noir

sup mate ? ;)

[ reply ]
Re: GetPC code (was: Shellcode from ASCII) Nov 18 2003 10:57PM
Aaron Adams (aadams securityfocus com) (1 replies)
Re: GetPC code (was: Shellcode from ASCII) Nov 19 2003 10:12PM
noir (noir gsu linux org tr)
Re: GetPC code (was: Shellcode from ASCII) Jun 30 2003 02:30PM
Gerardo Richarte (gera corest com) (1 replies)
Re: GetPC code (was: Shellcode from ASCII) Jul 01 2003 04:56PM
Costin Ionescu (costin ionescu fokus fraunhofer de)


 

Privacy Statement
Copyright 2010, SecurityFocus