Vulnerability Development mailing list archives
Re: BitchX /ignore bug
From: drow () FALSE ORG (Daniel Jacobowitz)
Date: Wed, 5 Jul 2000 12:59:10 -0700
On Wed, Jul 05, 2000 at 10:45:22AM -0400, Benjamin Karas wrote:
I just wanted to point out that the PowerPC is one of the unbelievably bizarre platforms -- it passes parameters in registers. I've also seen some pretty strange stuff on OpenBSD with parameter passing.
It should be fairly independent of operating system; ABIs tend to be pretty consistent on the same hardware target (well, there are usually two or three different ones at least, but OpenBSD probably doesn't have its own).
For those who are curious, exploiting a PowerPC program can be a bit more difficult than an x86 program. First, PPC code is optimized such that frames are 32 *byte* aligned. I've been told this is becuase of how the PPC cache works. Furthermore, strings and stuff are 4 byte aligned. This all means that there are often unused bytes on the stack. This means strings might not be adjacent on the stack, which eliminates the attacks described in Phrack 56, article 0x0e.
Not really. Programmers usually pick multiples of four for buffer sizes. You also have no guarantee that a string starts at a four-byte alignment - if it is, for instance, in the middle of a struct that may not be the case.
Another difficulty is that a lot of opcodes in PPC assembly contain zeros in them (each is 4 bytes long).
This is not an issue, I can assure you. There's more than enough that do not.
I just wanted to point these things out. Running a server on PPC hardware might be slightly more secure than Intel simply from an obscurity standpoint.
Bad, bad idea. At least two working PPC shellcodes have been published; I've written two others, and they did not take me terribly long to turn out. As it turns out, the worst thing about PowerPC from the hacker's standpoint is that most recent PPC chips have separate data and instruction caches. Getting your code flushed into main memory so that the icache will find it can be a spot of difficulty. Dan /--------------------------------\ /--------------------------------\ | Daniel Jacobowitz |__| SCS Class of 2002 | | Debian GNU/Linux Developer __ Carnegie Mellon University | | dan () debian org | | dmj+ () andrew cmu edu | \--------------------------------/ \--------------------------------/
Current thread:
- Re: BitchX /ignore bug Stephen J. Friedl (Jul 04)
- Re: BitchX /ignore bug Stephen J. Friedl (Jul 05)
- Re: BitchX /ignore bug Benjamin Karas (Jul 05)
- Re: BitchX /ignore bug Daniel Jacobowitz (Jul 05)
- <Possible follow-ups>
- Re: BitchX /ignore bug Thomas Dullien (Jul 05)
- Re: BitchX /ignore bug Ron DuFresne (Jul 06)
- Re: BitchX /ignore bug Keith Simonsen (Jul 06)
- Re: BitchX /ignore bug Steve Mosher (Jul 06)
- Re: BitchX /ignore bug Joe User (Jul 06)
- Re: BitchX /ignore bug Security Mail Acct. (Jul 06)
- wwwboard my help reveal user name and password Julian Linton (Jul 07)
- Re: wwwboard my help reveal user name and password Shelagh Pepper (Jul 07)
- Re: wwwboard my help reveal user name and password Shadowboxer (Jul 07)
- Re: wwwboard my help reveal user name and password Jason Legate (Jul 07)
- Re: BitchX /ignore bug Ron DuFresne (Jul 06)