Bugtraq mailing list archives
Smashing the stack on a DEC Alpha
From: lamontg () hitl washington edu (Lamont Granquist)
Date: Thu, 16 Jan 1997 14:39:37 -0800
I've been trying to impliment Aleph1's stack-smashing attack, but on a DEC Alpha, and have run into a bit of a glitch here. First, the Alpha appears to stick the return address lower than the dynamic variables in the frame -- okay, so you have to overwrite the return address of the previous function such that it executes out of the environment. Not a major problem. However, I'm trying to work my way up to executing code in the dataspace and I'm running into a bit of a problem, e.g: void main(void) { int *ad1; char shellcode[] = "\x01\x80\xfa\x6b"; /* ret */ __asm__(" addq $15,24,$8 stq $8,16($15) "); printf("%x\n", &ad1); printf("%x\n", ad1); printf("%x\n", &shellcode); printf("%x\n", *ad1); __asm__(" addq $15,24,$21 jsr $26,($21) "); printf("jsr worked\n"); } That works correctly in that ad1 == &shellcode and *ad1 = 0x6bfa8001, but it seems that it croaks when it attempts to execute the jsr into the stack:
./testsc
1ffff6c0 1ffff6c8 1ffff6c8 6bfa8001 Segmentation fault (core dumped)
I haven't tried throwing the code into the environment and trying to execute it there, but I can't see how that would make much of a difference over the stack... -- Lamont Granquist <lamontg () hitl washington edu> (206)616-1469 fax:(206)543-5380 Human Interface Technology Lab. University of Washington. Seattle, WA PGP pubkey: finger lamontg () hitl washington edu
Current thread:
- Re: BoS: serious security bug in wu-ftpd v2.4 Dave Kinchlea (Jan 05)
- BoS: serious security bug in wu-ftpd v2.4 -- PATCH Dave Kinchlea (Jan 05)
- Re: BoS: serious security bug in wu-ftpd v2.4 -- PATCH Henrik P Johnson (Jan 12)
- Stronghold v1.3.3: Security Release Sean B. Hamor (Jan 13)
- [linux-security] SECURITY: Important bug fix for /sbin/login Erik Troan (Jan 16)
- Smashing the stack on a DEC Alpha Lamont Granquist (Jan 16)
- Re: Smashing the stack on a DEC Alpha Digital Dreamer (Jan 16)
- Re: Smashing the stack on a DEC Alpha Julian Assange (Jan 16)
- FreeBSD Security Advisory: SA-96:21 - talkd FreeBSD Security Officer (Jan 18)
- Re: FreeBSD Security Advisory: SA-96:21 - talkd Theo de Raadt (Jan 20)
- talkd problem Theo de Raadt (Jan 20)
- Re: talkd problem David Holland (Jan 20)
- Smashing the stack Zygo Blaxell (Jan 20)
- Re: Smashing the stack David Holland (Jan 20)
- Re: Smashing the stack Bill Sommerfeld (Jan 21)
- BoS: serious security bug in wu-ftpd v2.4 -- PATCH Dave Kinchlea (Jan 05)
- [linux-security] write(1) leak David Holland (Jan 19)