Vulnerability Development mailing list archives

Re: Thwarting /bin/bash, an anti-overflow concept ?

From: Gerardo Richarte <gera () corest com>
Date: Wed, 07 Jan 2004 18:52:13 -0300

Alex Schütz wrote:

Thinking this farther, we are going to force the exploit developer tobring along his own binary code of /bin/bash. This may not be possiblein every case, since the buffer overflow cannot hold so much data.


        Embeding more than a 'execve("/bin/sh")' as egg is not a oh so crazy idea, take a look at, for example:

- Syscall Proxying
 http://www1.corest.com/common/showdoc.php?idx=259&idxseccion=11

- grugq's excelent Userland Exec
 http://www.securityfocus.com/archive/1/348638/2003-12-28/2004-01-03/0

- InlineEgg
 http://oss.corest.com/projects/inlineegg.html
 http://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html

- ShellForge
 www.secdev.org/shellforge.html

- MOSDEF
 http://www.immunitysec.com/MOSDEF/

        And quite a few other similar things and projects I know some other people is working on.

        So, as usuall with too simple security protections, it's good to do it, unless you are going to believe that you are 
ANY safer by doing it. So, in short... why to do it if after doing so you can't feel safer?

        gera

Current thread:

Any takers? Revisiting mremap() Jeremy Junginger (Jan 06)
- Message not available
  - Thwarting /bin/bash, an anti-overflow concept ? Alex Schütz (Jan 07)
    - Re: Thwarting /bin/bash, an anti-overflow concept ? Josh Bressers (Jan 07)
    - Re: Thwarting /bin/bash, an anti-overflow concept ? Bruno Lustosa (Jan 07)
    - Re: Thwarting /bin/bash, an anti-overflow concept ? Kenneth Peiruza (Jan 07)
    - Re: Thwarting /bin/bash, an anti-overflow concept ? security (Jan 07)
    - Re: Thwarting /bin/bash, an anti-overflow concept ? Gerardo Richarte (Jan 07)
    - Re: Thwarting /bin/bash, an anti-overflow concept ? Valdis . Kletnieks (Jan 07)