Vulnerability Development mailing list archives
Re: Where else?
From: Hung Vu <hungvu () netcom ca>
Date: Mon, 19 Nov 2001 21:04:44 -0500
Mariusz Woloszyn wrote:
Local variables and parameters on the stack (beyond RET), specialy pointers may be sufficient to copy shellcode and pass execution to any other rwx segments. No wx segments means perfect security. It's time to fix the hardware.
But... you still some how need to change the EIP to execute arbitrary code (injected or existing). I did a simple "biggrep" of a simple "unction [Pp]ointer" pattern on the Glibc 2.1.92 and found some hints about atexit and malloc hooks and a few other interesting spots. Of course, there are more... Hung. ----------------------- [root@localhost glibc-2.1.92]# biggrep "unction [Pp]ointer" /usr/src/redhat/BUILD/glibc-2.1.92/ChangeLog: the address of a symbol so function pointers are handled properly. /usr/src/redhat/BUILD/glibc-2.1.92/ChangeLog: * elf/rtld.c (_dl_start): Get the function pointer return address /usr/src/redhat/BUILD/glibc-2.1.92/ChangeLog.8: * argp/argp.h: Use __PMT instead of __P for function pointer. /usr/src/redhat/BUILD/glibc-2.1.92/elf/elf.h: void (*a_fcn) (void); /* Function pointer value */ /usr/src/redhat/BUILD/glibc-2.1.92/elf/elf.h: void (*a_fcn) (void); /* Function pointer value */ /usr/src/redhat/BUILD/glibc-2.1.92/elf/elf.h:#define R_PARISC_LTOFF_FPTR32 57 /* 32 bits LT-rel. function pointer. */ /usr/src/redhat/BUILD/glibc-2.1.92/elf/vismain.c: /* Function pointers: for functions which are marked local and for /usr/src/redhat/BUILD/glibc-2.1.92/elf/vismain.c: which definitions are available all function pointers must be /usr/src/redhat/BUILD/glibc-2.1.92/libio/libio.h:/* The structure with the cookie function pointers. */ /usr/src/redhat/BUILD/glibc-2.1.92/linuxthreads/ChangeLog: * sysdeps/pthread/pthread.h: Use __PMT not __P for function pointers. /usr/src/redhat/BUILD/glibc-2.1.92/malloc/malloc.c: function pointers) in a system dependent, opaque data structure. /usr/src/redhat/BUILD/glibc-2.1.92/malloc/malloc.c: `Hook' function pointers are never saved or restored by these /usr/src/redhat/BUILD/glibc-2.1.92/manual/libc.info-36: a function pointer. *Note Basic Signal Handling::. /usr/src/redhat/BUILD/glibc-2.1.92/manual/signal.texi:@code{SIG_IGN}, or a function pointer. @xref{Basic Signal Handling}. /usr/src/redhat/BUILD/glibc-2.1.92/nss/nsswitch.c: /* Remember function pointer for later calls. Even if null, we /usr/src/redhat/BUILD/glibc-2.1.92/nss/nsswitch.h:/* For mapping a function name to a function pointer. It is known in /usr/src/redhat/BUILD/glibc-2.1.92/nss/nss_db/dummy-db.h: we're only interested in the function pointers, since that's the a1 Contains a function pointer to be registered with `atexit'. /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/i386/elf/start.S: %edx Contains a function pointer to be registered with `atexit'. %a1 Contains a function pointer to be registered with `atexit'. /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/mips/elf/start.S: v0 ($2) Contains a function pointer to be registered with `atexit'. /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/powerpc/dl-start.S:/* Pass a termination function pointer (in this case _dl_fini) in r7. */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/s390/elf/start.S: %r14 Contains a function pointer to be registered with `atexit'. /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/sh/elf/start.S: r4 Contains a function pointer to be registered with `atexit'. /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/alpha/clone.S: beq a0,$error /* no NULL function pointers */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/arm/clone.S: @ save the function pointer as the 0th element /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/i386/clone.S: movl FUNC(%esp),%ecx /* no NULL function pointers */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/i386/clone.S: /* Save the function pointer as the zeroth argument. /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/m68k/clone.S: movel 4(%sp), %a0 /* no NULL function pointers */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/mips/clone.S: beqz a0,error /* No NULL function pointers. */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/mips/clone.S: sw a0,0(a1) /* Save function pointer. */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/mips/clone.S: lw t9,0(sp) /* Function pointer. */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/s390/clone.S: ltr %r1,%r2 /* no NULL function pointers */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/sh/clone.S: /* save the function pointer as the 0th element */ /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/mbsnrtowcs.c: /* Get the structure with the function pointers. */ /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/mbsrtowcs.c: /* Get the structure with the function pointers. */ /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/wcsnrtombs.c: /* Get the structure with the function pointers. */ /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/wcsrtombs.c: /* Get the structure with the function pointers. */ [root@localhost glibc-2.1.92]#
Current thread:
- Where else? Hung Vu (Nov 16)
- Re: Where else? Michel Arboi (Nov 18)
- Re: Where else? Justin Lundy (Nov 18)
- Re: Where else? dullien (Nov 18)
- Re: Where else? Pavel Kankovsky (Nov 18)
- Re: Where else? Mariusz Woloszyn (Nov 19)
- Re: Where else? Hung Vu (Nov 20)