Vulnerability Development mailing list archives

Re: Where else?

From: Michel Arboi <arboi () yahoo com>
Date: Sat, 17 Nov 2001 16:29:46 +0100 (CET)

 --- Hung Vu <hungvu () netcom ca> a écrit :

      - Dtors
      - _atexit stuff


How do you plan to overwrite these?

Where else?


IMHO, you should take the problem in a more systematic way. i.e.
you can overwrite:
1) any pointer to the code
2) code itself
3) or any function that generates the code (using a technique from
points 1 or 2)

(3) could mean "just in time compilers" or interpreters, and I am not
sure thise would be worth the cost. Dynamic loader hijack is also in
this category.

(1) C function pointers, return address on stack, method / class
pointer (if this makes sense)...
(2) code segment (if they can be written), code on stack (e.g. glibc &
the GCC trampolines...) or in data segment (some dynamic loaders use
this)

Just my 0.02$


___________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Courrier : http://courrier.yahoo.fr

Current thread:

Where else? Hung Vu (Nov 16)
- Re: Where else? Michel Arboi (Nov 18)
- Re: Where else? Justin Lundy (Nov 18)
- Re: Where else? dullien (Nov 18)
- Re: Where else? Pavel Kankovsky (Nov 18)
- Re: Where else? Mariusz Woloszyn (Nov 19)
  - Re: Where else? Hung Vu (Nov 20)