Vulnerability Development mailing list archives

Re: No-Exec Stack Smashing 101

From: woloszyn () IPARTNERS PL (M.C.Mar)
Date: Wed, 26 Apr 2000 09:54:25 +0200


On Tue, 25 Apr 2000 lamont () icopyright com wrote:

Okay, lets say that you've got:

1.  non-exec stack
2.  libc remapped to location with 0x00 in it
3.  statically linked executable, so no PLT functions

And assume the bug is a simple buffer overflow in a string function which
terminates on a 0x00 (i.e. ignore for the moment ways around a 0x00
"canary")

How can you get around that?  Is there a more general way around non-exec
stacks than return-into-PLT exploits?

Hi!

Yes! If I have staticly linked binary I make one general assumption:
vulnerable program uses strcpy(). If so I need to find strcpy() address in
its text segmend, then find any rwx segment (there is allways one, you can
find it via /proc/PID/maps) and follow the same way as I described before.
All of this applyes to local vulnerabilities, or any vulnerabilities that
allows me to examine vulnerable binary.

--
Mariusz Wo³oszyn
Internet Security Specialist, IT -- Internet Partners
E-mail: Mariusz.Woloszyn () it pl, woloszyn () it pl

Current thread:

Re: No-Exec Stack Smashing 101, (continued)
- - - Re: No-Exec Stack Smashing 101 Mariusz Woloszyn (Apr 21)
    - Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
    - Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Bob Fiero (Apr 21)
    - Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 21)
    - Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
    - Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Markus Kern (Apr 22)
    - Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Zoa_Chien (Apr 23)
    - koules again Kotz (Apr 21)
    - Re: koules again Ron DuFresne (Apr 21)
    - Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 25)
    - Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 26)
    - limited functionality accounts (was: Re: History Files) Alex Andrews (Apr 25)
    - Re: limited functionality accounts (was: Re: History Files) Rob Kouwenberg (Apr 28)
    - Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 26)
    - long file names in explorer.exe kj (Apr 26)
    - Re: long file names in explorer.exe Rory Savage (Apr 28)
    - Re: long file names in explorer.exe kj (Apr 28)
    - Lotus notes + windows98 overflow Alistair Orchard (Apr 27)
    - Blind Remote Buffer Overflow Granquist, Lamont (Apr 27)
    - Eudora Pro Buffer Overflow testing in progress - help needed. Zoa_Chien (Apr 28)
    - Re: Eudora Pro Buffer Overflow testing in progress - help needed. Blue Boar (Apr 28)

(Thread continues...)