Bugtraq mailing list archives
Re: Future of buffer overflows ?
From: tseeker () probemail com
Date: Thu, 2 Nov 2000 04:13:53 -600
Feed a return address and arguments so the RET "calls" memcpy >(), and use this memcpy() to move the buffer to some place in memory where you can jump latter. Then tell memcpy() to return to this new > place,clarifying:
memcpy needs an argument specifying the amount of bytes to copy. It will contain 0, so you will have problems with putting it on the stack. strcpy() is a better choice. This technique was first described (some years ago) in "Defeating Solar Designer non-executable stack patch" by Nergal http://www.securityfocus.com/archive/1/8470 check it out, the second method can be used to bypass Pax protection as well. It additionally deals with the case when libc is mapped into a region with address which begins with NULL.
The second option... let's call it "pop&ret"
That is pretty cool. The Seeker ProbeMail / http://www.probemail.com
Current thread:
- Re: Future of buffer overflows ? Granquist, Lamont (Nov 03)
- <Possible follow-ups>
- Re: Future of buffer overflows ? Darren Reed (Nov 03)
- Re: Future of buffer overflows ? Michal Zalewski (Nov 03)
- Re: Future of buffer overflows ? Crispin Cowan (Nov 03)
- Re: Future of buffer overflows ? tseeker (Nov 03)
- Re: Future of buffer overflows ? Gerardo Richarte (Nov 03)
- Re: Future of buffer overflows ? Gerardo Richarte (Nov 03)