If the shellcode were located in
region A above and were getting corrupted as a result of stack growth, one possible solution
would be to move the shellcode higher in region A, further away from esp, and to
hope that the stack would not grow enough to hit it. If there were not sufficient space to
move the shellcode within region A, then it might be possible to relocate the shellcode
to region B and avoid stack growth issues altogether. Similarly, shellcode located in
region B that is getting corrupted could be moved even deeper into region B, or potentially
relocated to region A. In some cases, it might not be possible to position your
shellcode in such a way that it would avoid this type of corruption. This leads us to the
most general solution to the problem, which is to adjust esp so that it points to a location
clear of our shellcode. This is easily accomplished by inserting an instruction to add
or subtract a constant value to esp that is of sufficient size to keep esp clear of our
shellcode. This instruction must generally be added as the first instruction in our payload,
prior to any decoder if one is present.
Disassembling Shellcode
Until you are ready and willing to write your own shellcode using assembly language tools,
you may find yourself relying on published shellcode payloads or automated shellcodegeneration
tools.
Pages:
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403