Re: Is GOT exploitable in solaris?

[Juliano Rizzo <core.lists.exploit-dev () core-sdi com>]

> I've never tried what you're attempting to do but if you can
> exploit the format string multiple times you could overwrite
> a couple of instructions in the PLT and create a JMPL
> instruction.

It's possible to overwrite the PLT with a CALL instruction,
writing only once. I did it on Solaris 2.7/sparc

The easiest way to exploit a format string is to overwrite any return
address 
(paddress) to point to your shellcode , but  you can add few lines of
code to 
your  exploit and translate the address of your shellcode (value) to a
sparc call opcode.
In this way you are able to overwrite the PLT.

if (p_plt)
                {
                  value = ((value - paddress)/4) +0x40000000;
                  printf ("Sparc Opcode:%x\n",value);
                }


--
==============[ CORE Security Technologies ]===============
Juliano Rizzo
Security Consultant
juliano.rizzo () corest com

Florida 141  |  2º cuerpo  |  7º piso
(C1005AAC) Buenos Aires  |  Argentina
Tel/Fax : (54 11) 4878-CORE (2673)
info.argentina () corest com  |  www.corest.com
=====================================================

This eMail and any files attached to it are confidential and intended
solely
for the use of the individual or entity to whom they are addressed. If
you
are not the intended recipient or the person responsible for delivering
to
the intended recipient, be advised that you have received this email in
error and that any use is strictly prohibited. If you have received this
email in error, please notify Core Security Technologies by reply email
or
dial (54 11) 4878-CORE (2673), and delete the material from any
computer.
Thank you.

--- for a personal reply use: Juliano Rizzo <juliano.rizzo () corest com>