If only there was some way to get the addresses that a remote RPC program used for its variables, which would tell us what segments were valid. Perhaps page 49 of "DCE/RPC over SMB" by Luke Kenneth Casson Leighton (hi Luke!) will help us out. "Pointers. The best way to think of the NDS represntation of pointers is as tokens. They "represent" pointerse. There must be a monotonic (one-to-one) mappting between the pointer that the token represents and the token itself. Windows NT is primarily implemented on a 32-bit platform, the x86 architecture and the NDR pointer-tokens are also 32-bit. Microsoft therefor puts memory addresses (sometimes actual pointers to kernel memory [note: or process memory from the stack or various other segments]) over-the-wire which does the trick and is simple to implement, but not very secure. " This is generally what I'm seeing with Windows 2000 SP3 here in my lab. (I spent a while trying to track down what a particular field with the Locator traffic was, but it turned out to be just a part of my stack.) In practice, you would want to get the address of the data segment for RPCRT4, I imagine, rather than the all-too-fickle stack. :> Dave Aitel Immunity, Inc. http://www.immunitysec.com/CANVAS/ (P.S. There are many vulnerable interfaces in the locator service, it turns out. One of them is available by default.) On Mon, 3 Feb 2003 13:49:31 -0800 (PST) Michal Zalewski <lcamtuf@coredump.cx> wrote: > On Mon, 3 Feb 2003, David Litchfield wrote: > > > Use addresses such as 0x**000000 or 0x00**0000 for the new image > > base. With there being a NULL in much of the image's address space > > this will help. (This of course won't make a difference with unicode > > overflows) > > Just FYI, both techniques are somewhat old in the *nix world. NUL in > the address is, among others, implemented by the Openwall kernel patch > on Linux, and PaX randomizes stack and executable base mapping > addresses. > > -- > ------------------------- bash$ :(){ :|:&};: -- > Michal Zalewski * [http://lcamtuf.coredump.cx] > Did you know that clones never use mirrors? > --------------------------- 2003-02-03 13:45 -- > >
