Dailydave mailing list archives
Re: (windows is vulnerable too) & final comments on naming
From: Dave Aitel <dave () immunityinc com>
Date: Wed, 07 Mar 2007 15:13:02 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can find some funny bugs in your debuggers when you're mapping 0. Most of them (Olly/ImmDBG at least) will refuse to view the memory section, but if you force them to view address 1, they'll see the data there. I happen to be porting a kernel exploit from C to Python/MOSDEF right now which uses this trick. :> - -dave (I'm sure ImmDBG will be fixed shortly. ) intropy wrote:
On 3/7/07, Brad Spengler <spender () grsecurity net> wrote:What version of Windows are you using? Maybe you're getting confused with the behavior that giving a NULL address as a hint to any allocation/mapping function is a special case within the OS to select its own address. Luckily though, the address passed in is rounded down internally, so giving an address of 1 will let you allocate at the 0 address.Microsoft's own driver verifier does this to trap NULL derefs when exercising code. In the dc2 application specifying /n will map the 0x0 page. "/n Map zero page so that NULL pointer de-references don't raise" And its done just like you. 45C push 4 460 push 3000h 464 lea ecx, [ebp+var_1C] 464 push ecx 468 push 1 46C lea edx, [ebp+var_14] 46C push edx 470 push 0FFFFFFFFh 474 call ds:NtAllocateVirtualMemory _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF7xzMB8JNm+PA+iURArOVAJ0ZVTXe2+b2lf2euwEGaHLb+DIR6gCfca1Y eziDI9714wjFfhK94lSqD7I= =ODKb -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns, (continued)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns don bailey (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Thomas Ptacek (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 06)
- (windows is vulnerable too) & final comments on naming Brad Spengler (Mar 07)
- Re: (windows is vulnerable too) & final comments on naming intropy (Mar 07)
- Re: (windows is vulnerable too) & final comments on naming Dave Aitel (Mar 07)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Joel Eriksson (Mar 07)
- Message not available
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 14)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Sebastian Krahmer (Mar 06)