fluffibunni
Oct 9 2003, 06:09 AM
i have question :
how we can find our shellcode in REMOTE EXPLOIT ?
woutiir said we can use offset brute forcing but how ?
should we only change EIP abd EBP or we should change many other thing
when i saw exploits such as DCOM that use diffrent RET address i wonder
why they use different RET address (for WINXP,WIN2K SPn) that RET address are very near
they can fill NOP before shellcode stsrt ((old method )) why they dont use this method or why this method willnot work ???
old method
1000*[NOP]
[shellcode]
atomix
Oct 9 2003, 12:31 PM
well see. offsets and/or return addresses are found within the core dumps. for example, if i happened to sent an exploit code towards a daemon and it replied back "Segmentation Fault" and then dropped the core, i would use a debugging program such as GDB, id use that to dig into it, and within it, i would find the return address it sent in order to create that segmentation fault and i would use that as an offset. Theres probably other ways to retrieve a return address but thats the original way theyre found.
fluffibunni
Oct 10 2003, 01:31 PM
you are correct but we don't have core in WIN os what we should do now
ddanix
Oct 12 2003, 01:27 PM
use cygwin gcc compiler for windows it will make core and shit
fluffibunni
Oct 14 2003, 05:06 PM
woow i don't have source code
so i can't use compiler i only want to find a RET address
and i think best method is offset brute forcing ?
and can you tell me my second question
