Bugtraq mailing list archives
Using function supplied parameters in buffer overflow exploitation.
From: Pauli Ojanpera <pauli_ojanpera () HOTMAIL COM>
Date: Wed, 13 Dec 2000 11:53:39 +0200
I recently noticed, that in the recent WinAmp .M3U playlist parsing error I found, you can use a pointer already in stack. Dunno if this is a known concept. The faulty function is supplied a pointer which is then inside the function set to point at the beginning of the buffer that gets overflowed during the function execution. Stack: [bufptr as a parameter] [return address] [saved frame pointer] [buffer] So you can exploit it by overflowing the return address with an address that points to another ret instruction that subsequently fetches bufptr off the stack and jumps to it. You can also roam the stack upwards to find other suitable pointer in there. You just have to use a row of pointers to a ret instruction to get esp value to point upper to the stack. [buffer][ptr-to-ret][ptr-to-ret][ptr-to-ret][*magic-ret-val-here-already-in-stack*] You can also point the execution to the instructions preceding a ret, to affect other register values. For example, to the usual instruction preceding a "ret". To code like this: pop ebp ret -- Too bad I'm not too good at explaining things. -- -- Thanks for the attention. -- _____________________________________________________________________________________ Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com
Current thread:
- Using function supplied parameters in buffer overflow exploitation. Pauli Ojanpera (Dec 14)