Vulnerability Development mailing list archives
Re: No-Exec Stack Smashing 101
From: mhw () WITTSEND COM (Michael H. Warfield)
Date: Wed, 26 Apr 2000 07:05:45 -0400
On Tue, Apr 25, 2000 at 01:58:00PM -0700, Granquist, Lamont wrote:
Okay, lets say that you've got:
1. non-exec stack 2. libc remapped to location with 0x00 in it 3. statically linked executable, so no PLT functions
And assume the bug is a simple buffer overflow in a string function which terminates on a 0x00 (i.e. ignore for the moment ways around a 0x00 "canary")
How can you get around that? Is there a more general way around non-exec stacks than return-into-PLT exploits?
Find a location in the code which does not have a 0x00 in the
address and which CALLS the library function and return to the address
of that call instruction?
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Current thread:
- Re: Blind Remote Buffer Overflow, (continued)
- Re: Blind Remote Buffer Overflow Ralph The Wonder Llama (Apr 28)
- Re: Blind Remote Buffer Overflow Matthew R. Potter (Apr 28)
- Re: Blind Remote Buffer Overflow Sebastian (Apr 29)
- Re: Blind Remote Buffer Overflow Mark L. Jackson (Apr 29)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Replacing Kernel Functions via a LKM Granquist, Lamont (Apr 27)
- Re: Replacing Kernel Functions via a LKM Dragos Ruiu (Apr 27)
- Re: Replacing Kernel Functions via a LKM Dragos Ruiu (Apr 28)
- Re: Replacing Kernel Functions via a LKM Prateek Jetly (Apr 27)
- Re: No-Exec Stack Smashing 101 Michael H. Warfield (Apr 26)
- Re: No-Exec Stack Smashing 101 Crispin Cowan (Apr 26)
- Re: No-Exec Stack Smashing 101 Taneli Huuskonen (Apr 26)
- Re: No-Exec Stack Smashing 101 Michael H. Warfield (Apr 20)