Dailydave mailing list archives

Re: (windows is vulnerable too) & final comments on naming

From: intropy <intropy () gmail com>
Date: Wed, 7 Mar 2007 11:44:16 -0600

On 3/7/07, Brad Spengler <spender () grsecurity net> wrote:


What version of Windows are you using?  Maybe you're getting confused
with the behavior that giving a NULL address as a hint to any
allocation/mapping function is a special case within the OS to select
its own address.  Luckily though, the address passed in is rounded down
internally, so giving an address of 1 will let you allocate at the 0
address.


Microsoft's own driver verifier does this to trap NULL derefs when
exercising code.  In the dc2 application specifying /n will map the
0x0 page.

"/n      Map zero page so that NULL pointer de-references don't raise"

And its done just like you.

45C push    4
460 push    3000h
464 lea     ecx, [ebp+var_1C]
464 push    ecx
468 push    1
46C lea     edx, [ebp+var_14]
46C push    edx
470 push    0FFFFFFFFh
474 call    ds:NtAllocateVirtualMemory
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns, (continued)
- - Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Michal Zalewski (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns don bailey (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Thomas Ptacek (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 06)
    - (windows is vulnerable too) & final comments on naming Brad Spengler (Mar 07)
    - Re: (windows is vulnerable too) & final comments on naming intropy (Mar 07)
    - Re: (windows is vulnerable too) & final comments on naming Dave Aitel (Mar 07)
    - Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Joel Eriksson (Mar 07)
    - Message not available
    - Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 14)
    - Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Sebastian Krahmer (Mar 06)