Vulnerability Development mailing list archives
Re: No-Exec Stack Smashing 101
From: woloszyn () IPARTNERS PL (M.C.Mar)
Date: Wed, 26 Apr 2000 09:54:25 +0200
On Tue, 25 Apr 2000 lamont () icopyright com wrote:
Okay, lets say that you've got: 1. non-exec stack 2. libc remapped to location with 0x00 in it 3. statically linked executable, so no PLT functions And assume the bug is a simple buffer overflow in a string function which terminates on a 0x00 (i.e. ignore for the moment ways around a 0x00 "canary") How can you get around that? Is there a more general way around non-exec stacks than return-into-PLT exploits?
Hi! Yes! If I have staticly linked binary I make one general assumption: vulnerable program uses strcpy(). If so I need to find strcpy() address in its text segmend, then find any rwx segment (there is allways one, you can find it via /proc/PID/maps) and follow the same way as I described before. All of this applyes to local vulnerabilities, or any vulnerabilities that allows me to examine vulnerable binary. -- Mariusz Wo³oszyn Internet Security Specialist, IT -- Internet Partners E-mail: Mariusz.Woloszyn () it pl, woloszyn () it pl
Current thread:
- Re: No-Exec Stack Smashing 101, (continued)
- Re: No-Exec Stack Smashing 101 Mariusz Woloszyn (Apr 21)
- Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Bob Fiero (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Markus Kern (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Zoa_Chien (Apr 23)
- koules again Kotz (Apr 21)
- Re: koules again Ron DuFresne (Apr 21)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 25)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 26)
- limited functionality accounts (was: Re: History Files) Alex Andrews (Apr 25)
- Re: limited functionality accounts (was: Re: History Files) Rob Kouwenberg (Apr 28)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 26)
- long file names in explorer.exe kj (Apr 26)
- Re: long file names in explorer.exe Rory Savage (Apr 28)
- Re: long file names in explorer.exe kj (Apr 28)
- Lotus notes + windows98 overflow Alistair Orchard (Apr 27)
- Blind Remote Buffer Overflow Granquist, Lamont (Apr 27)
- Eudora Pro Buffer Overflow testing in progress - help needed. Zoa_Chien (Apr 28)
- Re: Eudora Pro Buffer Overflow testing in progress - help needed. Blue Boar (Apr 28)