Gera's Insecure Programing abo7

[sin <sin () insolence net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi.

I'm working on Gera's insecure programing stuff, currently on abo7; as i
understand it, this is unexploitable on most (all?) current platforms
because of the order the sections are linked in?
the direct problem here being that .eh_frame and .dynamic directly follow
.data, so that i cant ever get control, because I can't overwrite useful
(to me) data without overwriting useful (to it) data.
So the thought that crosses my mind is why not just copy what is in
.eh_frame and .dynamic and .ctors until i reach .dtors; looking through
memory i see .dynamic is mostly 0 filled memory, which kinda; well it
screws that idea.
So here are my questions:

1) what exactly is .dynamic used for? I mean obviously its something to do
with dynamic data of some sort, I assume libc symbol stuff? What I am more
asking is, where can I find more information on it; what exactly belongs
where in .dynamic? (this question applies to really all sections; where
can i find specific information pertaining to like the plt, rplt, etc; ive
read some about them, and i have a working idea of what they do, just
looking for more details)

2) there is no way i can just overwrite .dynamic and change the 0's to say
01's is there?

3) how far back into gcc history do i need to dig to get a version that
assembles the sections in a different order. (is this a gcc thing? an as
thing? or a glibc thing? [i realize this isnt gnu specific])

thanks
j



"Once set in motion, the process of questioning could come to but one end,
the erosion of conviction and certitude and collapse into despair" (The
Specter of the Absurd, 1988).


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+1ia+oEcehqzkkpgRAkTRAJ4neEKtwBERz3sGhJ5rsgNvrJWusQCgq+2X
pmxZSAU8vxng1zY9vz6SHCU=
=G2dS
-----END PGP SIGNATURE-----