Vulnerability Development mailing list archives
Re: exploiting a binary if %edi can be overwritten?
From: Valdis.Kletnieks () vt edu
Date: Mon, 23 Jun 2003 14:33:40 -0400
On Mon, 23 Jun 2003 10:06:05 +0200, avel () gmx ch said:
hi community, i have a buffer overflow question. If i have a binary (no src available) that i can crash with a too long string, so that %edi is set 0x41414141 (means i could control it)... can i craft the buffer so that the adress in %edi is actually jumped to?
Although the context here is implied to be Linux on an x86 CPU, it's good to remember that there are other Unixoids that run on an x86 (the *BSD and Solaris/X86, right off the top of my head) which may have different linkage conventions, and that Linux runs on other processors that don't have a %edi register... I've even seen one exploit that failed to work on a test box - because the exploit used a 686-only opcode to work around something (a no-NULLs requirement or similar), and the testbed was a 486... ;) So a quick reminder - mention your system and processor, just to be sure. For all Unixoid boxes, 'uname -a' should be specific enough: % uname -a Linux turing-police.cc.vt.edu 2.5.72-mm3-lsm1 #3 Sun Jun 22 13:10:38 EDT 2003 i686 i686 i386 GNU/Linux (Yes, I'm a maniac.. and yes, I know .73 is out :)
Attachment:
_bin
Description:
Current thread:
- exploiting a binary if %edi can be overwritten? avel (Jun 23)
- Re: exploiting a binary if %edi can be overwritten? Valdis . Kletnieks (Jun 24)
- Re: exploiting a binary if %edi can be overwritten? avel (Jun 24)
- <Possible follow-ups>
- Re: exploiting a binary if %edi can be overwritten? avel (Jun 24)
- Re: exploiting a binary if %edi can be overwritten? andrewg (Jun 25)
- Re: exploiting a binary if %edi can be overwritten? Valdis . Kletnieks (Jun 24)