Vulnerability Development mailing list archives

Re: No-Exec Stack Smashing 101

From: lamont () ICOPYRIGHT COM (Granquist, Lamont)
Date: Tue, 25 Apr 2000 13:58:00 -0700


Okay, lets say that you've got:

1.  non-exec stack
2.  libc remapped to location with 0x00 in it
3.  statically linked executable, so no PLT functions

And assume the bug is a simple buffer overflow in a string function which
terminates on a 0x00 (i.e. ignore for the moment ways around a 0x00
"canary")

How can you get around that?  Is there a more general way around non-exec
stacks than return-into-PLT exploits?

Current thread:

Re: No-Exec Stack Smashing 101, (continued)
- - - Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 20)
    - Re: No-Exec Stack Smashing 101 Mariusz Woloszyn (Apr 21)
    - Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
    - Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Bob Fiero (Apr 21)
    - Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 21)
    - Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
    - Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Markus Kern (Apr 22)
    - Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Zoa_Chien (Apr 23)
    - koules again Kotz (Apr 21)
    - Re: koules again Ron DuFresne (Apr 21)
    - Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 25)
    - Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 26)
    - limited functionality accounts (was: Re: History Files) Alex Andrews (Apr 25)
    - Re: limited functionality accounts (was: Re: History Files) Rob Kouwenberg (Apr 28)
    - Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 26)
    - long file names in explorer.exe kj (Apr 26)
    - Re: long file names in explorer.exe Rory Savage (Apr 28)
    - Re: long file names in explorer.exe kj (Apr 28)
    - Lotus notes + windows98 overflow Alistair Orchard (Apr 27)
    - Blind Remote Buffer Overflow Granquist, Lamont (Apr 27)
    - Eudora Pro Buffer Overflow testing in progress - help needed. Zoa_Chien (Apr 28)

(Thread continues...)