Vulnerability Development mailing list archives

Re: challenge

From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Tue, 14 Sep 2004 16:19:42 +0200 (CEST)

On Tue, 14 Sep 2004, Marco Ivaldi wrote:

Finally, there's room for the .got entry substitution technique, for 
changing the second free() into a system() instead of using a shellcode
-- but beware, 'cause usually system() drops privileges.


Hrm... first of all sorry for the auto-replies, even though this is not a 
heavy traffic list ;P

I just want to point out that this exploitation technique is not going to 
work with this kind of vulnerability, 'cause the unlink() macro needs to 
write in the memory area pointed by the bk field of the overflowed chunk 
(specifically, the macro corrupts 10 bytes, from 3th to 12th -- that's the 
reason why we put a "jmp 0x0a" opcode followed by 10 bytes of junk at the 
very beginning of the shellcode). Of course, libc is not a writable area.

Nevertheless, .got entry substitution may be an interesting option to 
exploit format bugs along with some integer overflows, and to bypass some 
security measures (openwall, stackguard).

-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707

Current thread:

challenge fuzzy () bonbon net (Sep 14)
- <Possible follow-ups>
- Re: challenge Marco Ivaldi (Sep 16)
  - Re: challenge Marco Ivaldi (Sep 14)
  - Re: challenge Marco Ivaldi (Sep 14)