Vulnerability Development mailing list archives
Re: challenge
From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Tue, 14 Sep 2004 16:19:42 +0200 (CEST)
On Tue, 14 Sep 2004, Marco Ivaldi wrote:
Finally, there's room for the .got entry substitution technique, for changing the second free() into a system() instead of using a shellcode -- but beware, 'cause usually system() drops privileges.
Hrm... first of all sorry for the auto-replies, even though this is not a heavy traffic list ;P I just want to point out that this exploitation technique is not going to work with this kind of vulnerability, 'cause the unlink() macro needs to write in the memory area pointed by the bk field of the overflowed chunk (specifically, the macro corrupts 10 bytes, from 3th to 12th -- that's the reason why we put a "jmp 0x0a" opcode followed by 10 bytes of junk at the very beginning of the shellcode). Of course, libc is not a writable area. Nevertheless, .got entry substitution may be an interesting option to exploit format bugs along with some integer overflows, and to bypass some security measures (openwall, stackguard). -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
Current thread:
- challenge fuzzy () bonbon net (Sep 14)
- <Possible follow-ups>
- Re: challenge Marco Ivaldi (Sep 16)
- Re: challenge Marco Ivaldi (Sep 14)
- Re: challenge Marco Ivaldi (Sep 14)