Bugtraq mailing list archives
Re: Preventing exploitation with rebasing
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 5 Feb 2003 12:36:08 -0800 (PST)
On Wed, 5 Feb 2003, David Litchfield wrote:
For example assume an image base for an exe is 0x00400000 and the c code does printf("hello"); This will generate something like push 0x0042001C // push pointer to hello call 0x00401060 // call printf If I then make the image base 0x00410000 and I also change /.../ to become push 0x0043001C call 0x00411060
First of all, no, you do not change the call, on Intel, it's likely to be a relative 32-bit call (E8 .. .. .. ..) within the code, and it's relocable without any changes. Also, what if I wanted to pass a value 4325404 (0x42001c) to this function, and it is not a pointer, only looks this way? For example, some FOO_ASYNC flag is defined as 0x400000, FOO_LOCK as 0x020000, and voila, OR them and you have "a pointer". In other cases, say, with register calls, it is getting even nastier, because even if, one way or another, you managed to find out how every single function is going to use its parameters (not likely), register calls are still black magic. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-02-05 12:24 --
Current thread:
- RE: Observation on randomization/rebiasing..., (continued)
- RE: Observation on randomization/rebiasing... Jason Coombs (Feb 05)
- Re: Preventing exploitation with rebasing Crispin Cowan (Feb 05)
- Re: Preventing exploitation with rebasing David S Goldberg (Feb 05)
- Re: Preventing exploitation with rebasing Alun Jones (Feb 05)
- Re: Preventing exploitation with rebasing Deus, Attonbitus (Feb 06)
- RE: Preventing exploitation with rebasing Riley Hassell (Feb 05)
- Re: [VulnDiscuss] Preventing exploitation with rebasing Michal Zalewski (Feb 05)
- Re: Preventing exploitation with rebasing David Litchfield (Feb 05)
- Re: Preventing exploitation with rebasing Bugtraq User (Feb 05)
- Re: Preventing exploitation with rebasing D.C. van Moolenbroek (Feb 05)
- Re: Preventing exploitation with rebasing Michal Zalewski (Feb 05)
- Re: Preventing exploitation with rebasing Todd Sabin (Feb 05)
- Re: Preventing exploitation with rebasing Seth Breidbart (Feb 06)
- Re: Preventing exploitation with rebasing Richard Moore (Feb 06)
- Re: Preventing exploitation with rebasing Carolyn Meinel (Feb 07)
- Re: Preventing exploitation with rebasing Dave Aitel (Feb 05)
- Preventing exploitation with rebasing Fred Cohen (Feb 06)
- RE: Preventing exploitation with rebasing Jason Coombs (Feb 07)
- RE: Preventing exploitation with rebasing Ilya Dubinsky (Feb 07)