mailing list archives
Re: Future of buffer overflows ?
From: tseeker () probemail com
Date: Thu, 2 Nov 2000 04:13:53 -600
Feed a return address and arguments so the RET "calls" memcpy >(),
and use this memcpy() to move the buffer to some place in
you can jump latter. Then tell memcpy() to return to this new > place,clarifying:
memcpy needs an argument specifying the amount of bytes to
copy. It will contain 0, so you will have problems with putting
it on the stack. strcpy() is a better choice. This technique
was first described (some years ago) in "Defeating Solar
Designer non-executable stack patch" by Nergal
check it out, the second method can be used to bypass Pax
protection as well. It additionally deals with the case when
libc is mapped into a region with address which begins with NULL.
The second option... let's call it "pop&ret"
That is pretty cool.
ProbeMail / http://www.probemail.com