Dailydave mailing list archives
Re: (windows is vulnerable too) & final comments on naming
From: intropy <intropy () gmail com>
Date: Wed, 7 Mar 2007 11:44:16 -0600
On 3/7/07, Brad Spengler <spender () grsecurity net> wrote:
What version of Windows are you using? Maybe you're getting confused with the behavior that giving a NULL address as a hint to any allocation/mapping function is a special case within the OS to select its own address. Luckily though, the address passed in is rounded down internally, so giving an address of 1 will let you allocate at the 0 address.
Microsoft's own driver verifier does this to trap NULL derefs when exercising code. In the dc2 application specifying /n will map the 0x0 page. "/n Map zero page so that NULL pointer de-references don't raise" And its done just like you. 45C push 4 460 push 3000h 464 lea ecx, [ebp+var_1C] 464 push ecx 468 push 1 46C lea edx, [ebp+var_14] 46C push edx 470 push 0FFFFFFFFh 474 call ds:NtAllocateVirtualMemory _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns, (continued)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns don bailey (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Thomas Ptacek (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 06)
- (windows is vulnerable too) & final comments on naming Brad Spengler (Mar 07)
- Re: (windows is vulnerable too) & final comments on naming intropy (Mar 07)
- Re: (windows is vulnerable too) & final comments on naming Dave Aitel (Mar 07)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Joel Eriksson (Mar 07)
- Message not available
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 14)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Sebastian Krahmer (Mar 06)