Vulnerability Development mailing list archives
Re: No-Exec Stack Smashing 101
From: lamont () ICOPYRIGHT COM (Granquist, Lamont)
Date: Wed, 26 Apr 2000 15:09:43 -0700
Okay, I'm convinced that you can do this, although in actually testing this on a machine that had the non-exec stack I had the luck of turning up strcpy() in a location that ended in 0x00 -- which I'm pretty damn sure there's a work-around but its escaping me at the moment. I can always ret into the strcpy() call but then it pushes the RA onto the stack and I wind up back in my procedure and can't jmp to the shellcode. I can also ret into strcpy()+1 but that causes similar problems with not having room for a second return on the stack. Its very annoying and my brain is getting tied in knots trying to figure out if I can manipulated the value of %epb that has been pushed into the stack in order to get some room for a 2nd RA into my shellcode. Anyway, I'm convinced. Non-exec stacks on linux/x86 are pretty much worthless. *sigh*. On Wed, 26 Apr 2000, M.C.Mar wrote:
Hi! Yes! If I have staticly linked binary I make one general assumption: vulnerable program uses strcpy(). If so I need to find strcpy() address in its text segmend, then find any rwx segment (there is allways one, you can find it via /proc/PID/maps) and follow the same way as I described before. All of this applyes to local vulnerabilities, or any vulnerabilities that allows me to examine vulnerable binary. -- Mariusz Wo³oszyn Internet Security Specialist, IT -- Internet Partners E-mail: Mariusz.Woloszyn () it pl, woloszyn () it pl
Current thread:
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions., (continued)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Markus Kern (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Zoa_Chien (Apr 23)
- koules again Kotz (Apr 21)
- Re: koules again Ron DuFresne (Apr 21)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 25)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 26)
- limited functionality accounts (was: Re: History Files) Alex Andrews (Apr 25)
- Re: limited functionality accounts (was: Re: History Files) Rob Kouwenberg (Apr 28)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 26)
- long file names in explorer.exe kj (Apr 26)
- Re: long file names in explorer.exe Rory Savage (Apr 28)
- Re: long file names in explorer.exe kj (Apr 28)
- Lotus notes + windows98 overflow Alistair Orchard (Apr 27)
- Blind Remote Buffer Overflow Granquist, Lamont (Apr 27)
- Eudora Pro Buffer Overflow testing in progress - help needed. Zoa_Chien (Apr 28)
- Re: Eudora Pro Buffer Overflow testing in progress - help needed. Blue Boar (Apr 28)
- Re: Blind Remote Buffer Overflow Marc (Apr 28)
- Re: Blind Remote Buffer Overflow Ralph The Wonder Llama (Apr 28)
- Re: Blind Remote Buffer Overflow Matthew R. Potter (Apr 28)