Vulnerability Development mailing list archives
Re: Is GOT exploitable in solaris?
From: Juliano Rizzo <core.lists.exploit-dev () core-sdi com>
Date: Fri, 28 Dec 2001 13:14:30 -0300
I've never tried what you're attempting to do but if you can exploit the format string multiple times you could overwrite a couple of instructions in the PLT and create a JMPL instruction.
It's possible to overwrite the PLT with a CALL instruction, writing only once. I did it on Solaris 2.7/sparc The easiest way to exploit a format string is to overwrite any return address (paddress) to point to your shellcode , but you can add few lines of code to your exploit and translate the address of your shellcode (value) to a sparc call opcode. In this way you are able to overwrite the PLT. if (p_plt) { value = ((value - paddress)/4) +0x40000000; printf ("Sparc Opcode:%x\n",value); } -- ==============[ CORE Security Technologies ]=============== Juliano Rizzo Security Consultant juliano.rizzo () corest com Florida 141 | 2º cuerpo | 7º piso (C1005AAC) Buenos Aires | Argentina Tel/Fax : (54 11) 4878-CORE (2673) info.argentina () corest com | www.corest.com ===================================================== This eMail and any files attached to it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you have received this email in error, please notify Core Security Technologies by reply email or dial (54 11) 4878-CORE (2673), and delete the material from any computer. Thank you. --- for a personal reply use: Juliano Rizzo <juliano.rizzo () corest com>
Current thread:
- Is GOT exploitable in solaris? Minchu Mo (Dec 24)
- Re: Is GOT exploitable in solaris? KF (Dec 26)
- <Possible follow-ups>
- Re: Is GOT exploitable in solaris? Shaun Clowes (Dec 27)
- Re: Is GOT exploitable in solaris? Juliano Rizzo (Dec 28)