Re: Randomized Stack

[Oldani Massimiliano <sgrakkyu () antifork org>]

On Nov 23, 2005, at 10:21 PM, veider () ank-pki ru wrote:

> Hello, All!
>
> I am trying to exploit a stack based overflow on a system with stack 
> randomization. Knowing function addresses with "objdump -D" I am able
> to run thouse functions. I've read phrack article about bypassing
> PaX ASLR, but there the author is able to control function arguments 
> that is
> impossible in my case. Any ideas on what i may try?
>
> Bye, All.
Stack random? only random stack? or with random mmap()/stack and 
no-exec workaround ?
If you have only random stack and you can execute code in the stack, 
you can check for interesting pointer in the stack and chain a 
ret-into-ret until you get it
or find somewhere jmp *%esp instruction and jump on your payload.
Alternatively you can construct argument with ret-into-PLT strcpy() 
chain in some RW place and then use them.


>
-----------
Oldani (sgrakkyu) Massimiliano

Antifork Research, Inc.
Metro Olografix