|
Dailydave
mailing list archives
Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness
From: Dave Aitel <dave () immunitysec com>
Date: Fri, 07 Jan 2005 13:39:00 -0500
halvar () gmx de wrote:
Readclient shellcode is the obvious way to go when doing ISAPI. The
retrieval
of the connection ID is in most cases not a problem -- very few
ISAPI's I've seen
overflow in a different thread than the one that went through
HttpExtensionProc.
In that case, unless you're very unlucky, your ESP is still intact,
and unless you
_really_ smashed the stack (e.g. memcpy(,,-1)) you will have no
problem retrieving
the lpECB from [ESP+static_offset]. Remember that stack frame sizes
are constant
for a given executable, and that you can just rely on a value you
figured out in your
own debugger here. Of yourse, you have to adjust 1 offset in the
shellcode to make
it work for different targets.
(The following note is stuff Halvar and a lot of people already know or
find too obvious to mention, but not everyone does)
This is true in some cases, but not in others (heap overflows, even some
stack overflows). A good ISAPIcode will handle those cases. It's nice to
avoid that extra step, in any case. :>
-dave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
 By Date 
By Thread
Current thread:
|
Intro
