Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Preventing exploitation with rebasing

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 5 Feb 2003 12:36:08 -0800 (PST)
On Wed, 5 Feb 2003, David Litchfield wrote:


For example assume an image base for an exe is 0x00400000 and the c code
does printf("hello"); This will generate something like

push 0x0042001C    // push pointer to hello
call 0x00401060       // call printf

If I then make the image base 0x00410000 and I also change /.../ to
become

push 0x0043001C
call 0x00411060


First of all, no, you do not change the call, on Intel, it's likely to be
a relative 32-bit call (E8 .. .. .. ..) within the code, and it's
relocable without any changes.

Also, what if I wanted to pass a value 4325404 (0x42001c) to this
function, and it is not a pointer, only looks this way? For example, some
FOO_ASYNC flag is defined as 0x400000, FOO_LOCK as 0x020000, and voila, OR
them and you have "a pointer".

In other cases, say, with register calls, it is getting even nastier,
because even if, one way or another, you managed to find out how every
single function is going to use its parameters (not likely), register
calls are still black magic.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-02-05 12:24 --
Previous By Date Next
Previous By Thread Next

Current thread: