The second thing to
learn is exactly what is being written and whether you can control that value; in which
case, you have the capability to write any value anywhere. Some creativity is required to
utilize this seemingly minor capability to take control of the vulnerable program. The
goal is to write your carefully chosen value to an address that will ultimately result in
control being passed to your shellcode. Common overwrite locations include saved
return addresses, jump table pointers, import table pointers, and function pointers. Format
string vulnerabilities and heap overflows both work in this manner because the
attackers gain the ability to write a data value of their choosing (usually 4 bytes, but
sometimes as little as 1 or as many as 8) to a location or locations of their choosing.
Improving Exploit Reliability Another reason to spend some time understanding
register content is to determine whether any registers point directly at your
Figure 18-2 OllyDbg Call Stack display
Gray Hat Hacking: The Ethical Hacker??™s Handbook
464
shellcode at the time you take control of eip. Since the big question to be answered
when constructing an exploit is ???What is the address of my shellcode????, finding that
address in a register can be a big help.
Pages:
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810