Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Exploiting single NUL byte writes in XP SP2 - Is it possible?

From: nnp <version5 () gmail com>
Date: Sat, 17 Nov 2007 09:46:00 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well this seemed like as good a place as any to ask this, so here
goes. Is it possible to exploit a single NUL byte write in XP SP2? I
can write the NUL byte anywhere but for the life of me I can't think
of any way to get code execution from this. As far as I can tell to
exploit this I would need to be able to get data I control within 255
bytes of an address that's called and then zero out the LSB and that
just doesn't seem possible in Windows.

Anyone have a better (and by better I mean even remotely possible ;) )
way to exploit this?

Cheers,
nnp

- --
http://www.smashthestack.org
http://www.unprotectedhex.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: http://firegpg.tuxfamily.org

iD8DBQFHP5gbbP10WPHfgnQRApGAAKC5RxEb1ee6QZajG+bcAueQswRThQCeMw2M
eNI99JiK94RxBry5fgFnugU=
=Zkjg
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: