The same techniques utilized in
getopcode could be applied to perform similar searches through Windows PE binaries.
The Metasploit project has taken this idea a step further and created a web-accessible
database that allows users to look up the location of various instructions or instruction
sequences within any Windows libraries that they happen to support. This makes locating
a jmp esp a relatively painless task where Windows exploitation is concerned.
Using this technique in your exploit payloads is far more likely to produce a 100 percent
reliable exploit that can be used against all identical binaries, since redirection to your
shellcode becomes independent of the location of your shellcode. Unfortunately, each
time the program is compiled with new compiler settings or on a different platform, the
useful jump instruction is likely to move or disappear entirely, breaking your exploit.
References
David Litchfield, ???Variations in Exploit Methods between Linux and Windows???
www.nextgenss.com/papers/exploitvariation.pdf
The Metasploit Opcode Database http://metasploit.com/users/opcode/msfopcode.cgi
PART IV
Chapter 18: From Vulnerability to Exploit
465
Understanding the Problem
Believe it or not, it is possible to exploit a program without understanding why that program
is vulnerable.
Pages:
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814