Vulnerability Development mailing list archives

Re: No-Exec Stack Smashing 101

From: lamont () ICOPYRIGHT COM (Granquist, Lamont)
Date: Wed, 26 Apr 2000 15:09:43 -0700


Okay, I'm convinced that you can do this, although in actually testing
this on a machine that had the non-exec stack I had the luck of turning
up strcpy() in a location that ended in 0x00 -- which I'm pretty damn sure
there's a work-around but its escaping me at the moment.  I can always
ret into the strcpy() call but then it pushes the RA onto the stack and 
I wind up back in my procedure and can't jmp to the shellcode.  I can also
ret into strcpy()+1 but that causes similar problems with not having room
for a second return on the stack.  Its very annoying and my brain is
getting tied in knots trying to figure out if I can manipulated the value
of %epb that has been pushed into the stack in order to get some room
for a 2nd RA into my shellcode.

Anyway, I'm convinced.  Non-exec stacks on linux/x86 are pretty much
worthless.  *sigh*.

On Wed, 26 Apr 2000, M.C.Mar wrote:

Hi!

Yes! If I have staticly linked binary I make one general assumption:
vulnerable program uses strcpy(). If so I need to find strcpy() address in
its text segmend, then find any rwx segment (there is allways one, you can
find it via /proc/PID/maps) and follow the same way as I described before.
All of this applyes to local vulnerabilities, or any vulnerabilities that
allows me to examine vulnerable binary.

--
Mariusz Wo³oszyn
Internet Security Specialist, IT -- Internet Partners
E-mail: Mariusz.Woloszyn () it pl, woloszyn () it pl

Current thread:

Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions., (continued)
- - - Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 21)
    - Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
    - Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Markus Kern (Apr 22)
    - Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Zoa_Chien (Apr 23)
    - koules again Kotz (Apr 21)
    - Re: koules again Ron DuFresne (Apr 21)
    - Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 25)
    - Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 26)
    - limited functionality accounts (was: Re: History Files) Alex Andrews (Apr 25)
    - Re: limited functionality accounts (was: Re: History Files) Rob Kouwenberg (Apr 28)
    - Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 26)
    - long file names in explorer.exe kj (Apr 26)
    - Re: long file names in explorer.exe Rory Savage (Apr 28)
    - Re: long file names in explorer.exe kj (Apr 28)
    - Lotus notes + windows98 overflow Alistair Orchard (Apr 27)
    - Blind Remote Buffer Overflow Granquist, Lamont (Apr 27)
    - Eudora Pro Buffer Overflow testing in progress - help needed. Zoa_Chien (Apr 28)
    - Re: Eudora Pro Buffer Overflow testing in progress - help needed. Blue Boar (Apr 28)
    - Re: Blind Remote Buffer Overflow Marc (Apr 28)
    - Re: Blind Remote Buffer Overflow Ralph The Wonder Llama (Apr 28)
    - Re: Blind Remote Buffer Overflow Matthew R. Potter (Apr 28)

(Thread continues...)