Re: Where else?

[Hung Vu <hungvu () netcom ca>]

Mariusz Woloszyn wrote:
> Local variables and parameters on the stack (beyond RET), specialy
> pointers may be sufficient to copy shellcode and pass execution to any
> other rwx segments.
> No wx segments means perfect security.
> It's time to fix the hardware.

But... you still some how need to change the EIP to execute arbitrary
code (injected or existing).

I did a simple "biggrep" of a simple "unction [Pp]ointer" pattern on the
Glibc 2.1.92 and found some hints about atexit and malloc hooks and a
few other interesting spots.

Of course, there are more...

Hung.

-----------------------
[root@localhost glibc-2.1.92]# biggrep "unction [Pp]ointer"
 /usr/src/redhat/BUILD/glibc-2.1.92/ChangeLog:    the address of a
symbol so function pointers are handled properly.
 /usr/src/redhat/BUILD/glibc-2.1.92/ChangeLog:    * elf/rtld.c
(_dl_start): Get the function pointer return address
 /usr/src/redhat/BUILD/glibc-2.1.92/ChangeLog.8:    * argp/argp.h: Use
__PMT instead of __P for function pointer.
 /usr/src/redhat/BUILD/glibc-2.1.92/elf/elf.h:      void (*a_fcn)
(void);    /* Function pointer value */
 /usr/src/redhat/BUILD/glibc-2.1.92/elf/elf.h:      void (*a_fcn)
(void);    /* Function pointer value */
 /usr/src/redhat/BUILD/glibc-2.1.92/elf/elf.h:#define
R_PARISC_LTOFF_FPTR32    57    /* 32 bits LT-rel. function pointer. */
 /usr/src/redhat/BUILD/glibc-2.1.92/elf/vismain.c:  /* Function
pointers: for functions which are marked local and for
 /usr/src/redhat/BUILD/glibc-2.1.92/elf/vismain.c:     which definitions
are available all function pointers must be
 /usr/src/redhat/BUILD/glibc-2.1.92/libio/libio.h:/* The structure with
the cookie function pointers.  */
 /usr/src/redhat/BUILD/glibc-2.1.92/linuxthreads/ChangeLog:    *
sysdeps/pthread/pthread.h: Use __PMT not __P for function pointers.
 /usr/src/redhat/BUILD/glibc-2.1.92/malloc/malloc.c:   function
pointers) in a system dependent, opaque data structure.
 /usr/src/redhat/BUILD/glibc-2.1.92/malloc/malloc.c:   `Hook' function
pointers are never saved or restored by these
 /usr/src/redhat/BUILD/glibc-2.1.92/manual/libc.info-36:          a
function pointer.  *Note Basic Signal Handling::.
 /usr/src/redhat/BUILD/glibc-2.1.92/manual/signal.texi:@code{SIG_IGN},
or a function pointer.  @xref{Basic Signal Handling}.
 /usr/src/redhat/BUILD/glibc-2.1.92/nss/nsswitch.c:      /* Remember
function pointer for later calls.  Even if null, we
 /usr/src/redhat/BUILD/glibc-2.1.92/nss/nsswitch.h:/* For mapping a
function name to a function pointer.  It is known in
 /usr/src/redhat/BUILD/glibc-2.1.92/nss/nss_db/dummy-db.h:   we're only
interested in the function pointers, since that's the
    a1        Contains a function pointer to be registered with
`atexit'.
 /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/i386/elf/start.S:  
%edx        Contains a function pointer to be registered with `atexit'.
    %a1        Contains a function pointer to be registered with
`atexit'.
 /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/mips/elf/start.S:   v0
($2)    Contains a function pointer to be registered with `atexit'.
 /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/powerpc/dl-start.S:/* Pass a
termination function pointer (in this case _dl_fini) in r7.  */
 /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/s390/elf/start.S:  
%r14         Contains a function pointer to be registered with `atexit'.
 /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/sh/elf/start.S:   r4       
Contains a function pointer to be registered with `atexit'.

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/alpha/clone.S:   
beq    a0,$error        /* no NULL function pointers */

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/arm/clone.S:   
@ save the function pointer as the 0th element

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/i386/clone.S:   
movl    FUNC(%esp),%ecx        /* no NULL function pointers */

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/i386/clone.S:   
/* Save the function pointer as the zeroth argument.

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/m68k/clone.S:   
movel    4(%sp), %a0        /* no NULL function pointers */

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/mips/clone.S:   
beqz        a0,error    /* No NULL function pointers.  */

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/mips/clone.S:   
sw        a0,0(a1)    /* Save function pointer.  */

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/mips/clone.S:   
lw        t9,0(sp)    /* Function pointer.  */

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/s390/clone.S:   
ltr     %r1,%r2            /* no NULL function pointers */

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/sh/clone.S:   
/* save the function pointer as the 0th element */
 /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/mbsnrtowcs.c:  /* Get the
structure with the function pointers.  */
 /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/mbsrtowcs.c:  /* Get the
structure with the function pointers.  */
 /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/wcsnrtombs.c:  /* Get the
structure with the function pointers.  */
 /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/wcsrtombs.c:  /* Get the
structure with the function pointers.  */
 [root@localhost glibc-2.1.92]#