Bugtraq mailing list archives

Re: Future of buffer overflows ?

From: tseeker () probemail com
Date: Thu, 2 Nov 2000 04:13:53 -600

Feed a return address and arguments so the RET "calls" memcpy >(),
and use this memcpy() to move the buffer to some place in
memory where
you can jump latter. Then tell memcpy() to return to this new > place,clarifying:

memcpy needs an argument specifying the amount of bytes to
copy. It will contain 0, so you will have problems with putting
it on the stack. strcpy() is a better choice. This technique
was first described (some years ago) in "Defeating Solar
Designer non-executable stack patch" by Nergal
http://www.securityfocus.com/archive/1/8470
check it out, the second method can be used to bypass Pax
protection as well. It additionally deals with the case when
libc is mapped into a region with address which begins with NULL.

The second option... let's call it "pop&ret"

That is pretty cool.

The Seeker


ProbeMail / http://www.probemail.com

Current thread:

Re: Future of buffer overflows ? Granquist, Lamont (Nov 03)
- <Possible follow-ups>
- Re: Future of buffer overflows ? Darren Reed (Nov 03)
- Re: Future of buffer overflows ? Michal Zalewski (Nov 03)
  - Re: Future of buffer overflows ? Crispin Cowan (Nov 03)
- Re: Future of buffer overflows ? tseeker (Nov 03)
- Re: Future of buffer overflows ? Gerardo Richarte (Nov 03)
  - Re: Future of buffer overflows ? Gerardo Richarte (Nov 03)