Vulnerability Development mailing list archives
Re: Buffer Overflows
From: Gerardo Richarte <gera () corest com>
Date: Thu, 01 Apr 2004 11:36:56 -0300
In a previous mail I said:
Another example of "Closed source OS" (quotes because you can get some of the sources for solaris, at least there was an open source version of solaris 8, for the source sharing community, or something like that).
And in response to this warning3 sent me an email saying that it's not possible to use the "jmp esp" trick on solaris/sparc, what is absolutely correct, because "esp" gets corrupted, as well as all the other registers, when you overwrite the saved register window. In our cases, when we used the "jmp esp" trick, it was not a jmp esp, but rather a jmp %gx, and the global was, rather unexpectedly, pointing to our code. I don't think this is going to be generic Other cases where we use the "address database" in solaris is for the addresses of exitfns (atexit() function pointeres), and libc's PLT. The trick of using atexit() function pointers was pretty reliable for us, however, to exploit it you have to be able to force an exit() in the application, which is not always the case. Of course, the original "jmp esp" can be used on solaris/i386, but nobody really cares much about that. gera
Current thread:
- Re: Buffer Overflows Gerardo Richarte (Apr 01)
- <Possible follow-ups>
- Re: Buffer Overflows Yves Younan (Apr 01)
- Re: Buffer Overflows Angelo Dell'Aera (Apr 05)