APEG

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I'm reading that APEG paper again. This statement is not true, obviously. :>
"""
Determining the specific address
for a successful control hijack requires predicting the
processes memory layout, which changes each time the
process is invoked. Attackers currently do this by essen-
tially repeatedly launching an attack until the memory
layout matches what the exploit expects. We similarly
repeatedly launch the attack until we achieve a success-
ful control hijack.
"""


I'm a little confused as to what extent they generated real input. It's 
one thing to send input directly to IGMPrcvPacket via the debugger and 
another thing to do it from the network.

Hmm. So it seems maybe it looks more like this:
First you send some IGMP data to the server and look at the path of 
instructions it executes (to get a call tree as close as possible to the 
patch). Then you do static analysis to see if you can get from the 
closest point you got to, to the patched instructions. Then you try to 
change the input from there to reach the check while at the same time 
solving to make sure it doesn't cause the input to fail the earlier 
checks and not reach your vulnerable function. Does that sound right? 
Maybe someone can clue me in on how far off I am.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIEdcwtehAhL0gheoRAqL9AJ40rU8NxWk4Bmh25bw0OsQoe8o90ACcD3X8
/JAOuBEIQBot/pfgasxvJcA=
=ijzm
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave