Re: Randomized Stack

[Rik Bobbaers <Rik.Bobbaers () cc kuleuven be>]

On Friday 25 November 2005 17:47, Oldani Massimiliano wrote:

> Stack random? only random stack? or with random mmap()/stack and
> no-exec workaround ?
> If you have only random stack and you can execute code in the stack,
> you can check for interesting pointer in the stack and chain a
> ret-into-ret until you get it
> or find somewhere jmp *%esp instruction and jump on your payload.
> Alternatively you can construct argument with ret-into-PLT strcpy()
> chain in some RW place and then use them.

an alternative (easier ;)): put a 64k nopsled in front of your shellcode and 
"brute force" it ;)

-- 
harry
aka Rik Bobbaers

K.U.Leuven - LUDIT          -=- Tel: +32 485 52 71 50
Rik.Bobbaers () cc kuleuven be -=- http://harry.ulyssis.org

Disclaimer:
By sending an email to ANY of my addresses you are agreeing that:
  1. I am by definition, "the intended recipient"
  2. All information in the email is mine to do with as I see fit and make 
such financial profit, political mileage, or good joke as it lends itself to. 
In particular, I may quote it on usenet.
  3. I may take the contents as representing the views of your company.
  4. This overrides any disclaimer or statement of confidentiality that may be 
included on your message. 

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm