Dailydave mailing list archives
Exploiting single NUL byte writes in XP SP2 - Is it possible?
From: nnp <version5 () gmail com>
Date: Sat, 17 Nov 2007 09:46:00 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well this seemed like as good a place as any to ask this, so here goes. Is it possible to exploit a single NUL byte write in XP SP2? I can write the NUL byte anywhere but for the life of me I can't think of any way to get code execution from this. As far as I can tell to exploit this I would need to be able to get data I control within 255 bytes of an address that's called and then zero out the LSB and that just doesn't seem possible in Windows. Anyone have a better (and by better I mean even remotely possible ;) ) way to exploit this? Cheers, nnp - -- http://www.smashthestack.org http://www.unprotectedhex.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: http://firegpg.tuxfamily.org iD8DBQFHP5gbbP10WPHfgnQRApGAAKC5RxEb1ee6QZajG+bcAueQswRThQCeMw2M eNI99JiK94RxBry5fgFnugU= =Zkjg -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Exploiting single NUL byte writes in XP SP2 - Is it possible? nnp (Nov 17)
- Re: Exploiting single NUL byte writes in XP SP2 - Is it possible? shadown (Nov 18)