Security Basics mailing list archives
Re: Exploit writing when EIP is not corrupted but EDX, EBP register are having user supplied data
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Mon, 5 Jul 2010 11:48:04 -0700
I had a condition where "EDX and EBP registers are filled with user supplied data but EIP is not getting corrupted". How can I write a working exploit to this?
There is no simple answer - it depends on what is being done with these registers at the time of the crash (if anything at all - inspect what's under eip), and what else happened or could have happened in the code between the original coding error and the crash location. In many cases, seeing attacker-controlled content in general-purpose registers is just a red herring: this data may be left over from any earlier operations that processed said data, and the crash itself may be a simple NULL pointer dereference or somesuch. Consequently, the absence of "AAAA" in any register does not mean that the condition that got you to this crash did not involve overwriting something important in an attacker-controlled manner (particularly common with race conditions and memory corruption). /mz ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Exploit writing when EIP is not corrupted but EDX, EBP register are having user supplied data praveen_recker (Jul 05)
- Re: Exploit writing when EIP is not corrupted but EDX, EBP register are having user supplied data Michal Zalewski (Jul 05)
- <Possible follow-ups>
- Re: Exploit writing when EIP is not corrupted but EDX, EBP register are having user supplied data alkindi (Jul 06)