Vulnerability Development mailing list archives
Re: Randomized Stack
From: Rik Bobbaers <Rik.Bobbaers () cc kuleuven be>
Date: Mon, 28 Nov 2005 15:41:58 +0100
On Friday 25 November 2005 17:47, Oldani Massimiliano wrote:
Stack random? only random stack? or with random mmap()/stack and no-exec workaround ? If you have only random stack and you can execute code in the stack, you can check for interesting pointer in the stack and chain a ret-into-ret until you get it or find somewhere jmp *%esp instruction and jump on your payload. Alternatively you can construct argument with ret-into-PLT strcpy() chain in some RW place and then use them.
an alternative (easier ;)): put a 64k nopsled in front of your shellcode and "brute force" it ;) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 Rik.Bobbaers () cc kuleuven be -=- http://harry.ulyssis.org Disclaimer: By sending an email to ANY of my addresses you are agreeing that: 1. I am by definition, "the intended recipient" 2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it on usenet. 3. I may take the contents as representing the views of your company. 4. This overrides any disclaimer or statement of confidentiality that may be included on your message. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Current thread:
- Randomized Stack veider (Nov 24)
- Re: Randomized Stack Oldani Massimiliano (Nov 25)
- Re: Randomized Stack Rik Bobbaers (Nov 28)
- Re: Randomized Stack Oldani Massimiliano (Nov 25)