Vulnerability Development mailing list archives
problem in bypassing stack randomization ("call *%edx" technique)
From: Pravin <shindepravin () gmail com>
Date: Mon, 18 Sep 2006 12:02:19 +0530
Hi, I am working on vulnerabilities which will bypass stack randomization. I came across a method ("call *%edx" technique) described in http://rawlab.mindcreations.com/codes/exp/randstack/exp_call_rand.pl As per my understanding, method works on the line of finding the library which is not randomized. then finding the instruction "call *%edx" in the assembly code of that library, and pass the control to this instruction by overwriting the return address by the address of this instruction from non-randomized library. I do understand that control will go to that function, but How can I control the value of "*%edx" ? I know I can control the value of "*%esp" but how can I overwrite "*%edx" ? and if I dont control the value of "*%edx", then how my shellcode will get executed? I am missing something over here, Please let me know if I am wrong somewhere. I will apriciate if someone can give me link to some detailed documentation for "call *%edx" technique or some hint of how it works and control passes to shellcode exactly. Thanx. -- Pravin Shinde
Current thread:
- problem in bypassing stack randomization ("call *%edx" technique) Pravin (Sep 18)
- <Possible follow-ups>
- Re: problem in bypassing stack randomization ("call *%edx" technique) purelysp4m (Sep 20)