Vulnerability Development mailing list archives
Re: No-Exec Stack Smashing 101
From: crispin () WIREX COM (Crispin Cowan)
Date: Wed, 26 Apr 2000 19:01:32 +0000
"Granquist, Lamont" wrote:
Okay, lets say that you've got: 1. non-exec stack 2. libc remapped to location with 0x00 in it 3. statically linked executable, so no PLT functions And assume the bug is a simple buffer overflow in a string function which terminates on a 0x00 (i.e. ignore for the moment ways around a 0x00 "canary") How can you get around that? Is there a more general way around non-exec stacks than return-into-PLT exploits?
It's 2 step:
1. Inject your payload (code to do "exec(sh)" or equivalent) into some
heap or static buffer (call it X). Note that you do *not* have to
overflow buffer X, just give it a string that happens to be native
instructions.
2. Overflow the vulnerable buffer and point the code pointer at X.
Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
JOBS! http://immunix.org/jobs.html
Current thread:
- Re: Blind Remote Buffer Overflow, (continued)
- Re: Blind Remote Buffer Overflow Matthew R. Potter (Apr 28)
- Re: Blind Remote Buffer Overflow Sebastian (Apr 29)
- Re: Blind Remote Buffer Overflow Mark L. Jackson (Apr 29)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Replacing Kernel Functions via a LKM Granquist, Lamont (Apr 27)
- Re: Replacing Kernel Functions via a LKM Dragos Ruiu (Apr 27)
- Re: Replacing Kernel Functions via a LKM Dragos Ruiu (Apr 28)
- Re: Replacing Kernel Functions via a LKM Prateek Jetly (Apr 27)
- Re: No-Exec Stack Smashing 101 Michael H. Warfield (Apr 26)
- Re: No-Exec Stack Smashing 101 Crispin Cowan (Apr 26)
- Re: No-Exec Stack Smashing 101 Taneli Huuskonen (Apr 26)
- Re: No-Exec Stack Smashing 101 Michael H. Warfield (Apr 20)