Dailydave mailing list archives
APEG
From: Dave Aitel <dave () immunityinc com>
Date: Fri, 25 Apr 2008 09:05:53 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm reading that APEG paper again. This statement is not true, obviously. :> """ Determining the specific address for a successful control hijack requires predicting the processes memory layout, which changes each time the process is invoked. Attackers currently do this by essen- tially repeatedly launching an attack until the memory layout matches what the exploit expects. We similarly repeatedly launch the attack until we achieve a success- ful control hijack. """ I'm a little confused as to what extent they generated real input. It's one thing to send input directly to IGMPrcvPacket via the debugger and another thing to do it from the network. Hmm. So it seems maybe it looks more like this: First you send some IGMP data to the server and look at the path of instructions it executes (to get a call tree as close as possible to the patch). Then you do static analysis to see if you can get from the closest point you got to, to the patched instructions. Then you try to change the input from there to reach the check while at the same time solving to make sure it doesn't cause the input to fail the earlier checks and not reach your vulnerable function. Does that sound right? Maybe someone can clue me in on how far off I am. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIEdcwtehAhL0gheoRAqL9AJ40rU8NxWk4Bmh25bw0OsQoe8o90ACcD3X8 /JAOuBEIQBot/pfgasxvJcA= =ijzm -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- APEG Dave Aitel (Apr 25)