Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Vulnerability Development: Re: Where else?

Re: Where else?

From: Hung Vu <hungvu_at_netcom.ca>
Date: Mon, 19 Nov 2001 21:04:44 -0500

Mariusz Woloszyn wrote:
> Local variables and parameters on the stack (beyond RET), specialy
> pointers may be sufficient to copy shellcode and pass execution to any
> other rwx segments.
> No wx segments means perfect security.
> It's time to fix the hardware.

But... you still some how need to change the EIP to execute arbitrary
code (injected or existing).

I did a simple "biggrep" of a simple "unction [Pp]ointer" pattern on the
Glibc 2.1.92 and found some hints about atexit and malloc hooks and a
few other interesting spots.

Of course, there are more...

Hung.

-----------------------
[root_at_localhost glibc-2.1.92]# biggrep "unction [Pp]ointer"
 /usr/src/redhat/BUILD/glibc-2.1.92/ChangeLog: the address of a
symbol so function pointers are handled properly.
 /usr/src/redhat/BUILD/glibc-2.1.92/ChangeLog: * elf/rtld.c
(_dl_start): Get the function pointer return address
 /usr/src/redhat/BUILD/glibc-2.1.92/ChangeLog.8: * argp/argp.h: Use
__PMT instead of __P for function pointer.
 /usr/src/redhat/BUILD/glibc-2.1.92/elf/elf.h: void (*a_fcn)
(void); /* Function pointer value */
 /usr/src/redhat/BUILD/glibc-2.1.92/elf/elf.h: void (*a_fcn)
(void); /* Function pointer value */
 /usr/src/redhat/BUILD/glibc-2.1.92/elf/elf.h:#define
R_PARISC_LTOFF_FPTR32 57 /* 32 bits LT-rel. function pointer. */
 /usr/src/redhat/BUILD/glibc-2.1.92/elf/vismain.c: /* Function
pointers: for functions which are marked local and for
 /usr/src/redhat/BUILD/glibc-2.1.92/elf/vismain.c: which definitions
are available all function pointers must be
 /usr/src/redhat/BUILD/glibc-2.1.92/libio/libio.h:/* The structure with
the cookie function pointers. */
 /usr/src/redhat/BUILD/glibc-2.1.92/linuxthreads/ChangeLog: *
sysdeps/pthread/pthread.h: Use __PMT not __P for function pointers.
 /usr/src/redhat/BUILD/glibc-2.1.92/malloc/malloc.c: function
pointers) in a system dependent, opaque data structure.
 /usr/src/redhat/BUILD/glibc-2.1.92/malloc/malloc.c: `Hook' function
pointers are never saved or restored by these
 /usr/src/redhat/BUILD/glibc-2.1.92/manual/libc.info-36: a
function pointer. *Note Basic Signal Handling::.
 /usr/src/redhat/BUILD/glibc-2.1.92/manual/signal.texi:@code{SIG_IGN},
or a function pointer. @xref{Basic Signal Handling}.
 /usr/src/redhat/BUILD/glibc-2.1.92/nss/nsswitch.c: /* Remember
function pointer for later calls. Even if null, we
 /usr/src/redhat/BUILD/glibc-2.1.92/nss/nsswitch.h:/* For mapping a
function name to a function pointer. It is known in
 /usr/src/redhat/BUILD/glibc-2.1.92/nss/nss_db/dummy-db.h: we're only
interested in the function pointers, since that's the
    a1 Contains a function pointer to be registered with
`atexit'.
 /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/i386/elf/start.S:
%edx Contains a function pointer to be registered with `atexit'.
    %a1 Contains a function pointer to be registered with
`atexit'.
 /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/mips/elf/start.S: v0
($2) Contains a function pointer to be registered with `atexit'.
 /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/powerpc/dl-start.S:/* Pass a
termination function pointer (in this case _dl_fini) in r7. */
 /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/s390/elf/start.S:
%r14 Contains a function pointer to be registered with `atexit'.
 /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/sh/elf/start.S: r4
Contains a function pointer to be registered with `atexit'.

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/alpha/clone.S:
beq a0,$error /* no NULL function pointers */

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/arm/clone.S:
@ save the function pointer as the 0th element

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/i386/clone.S:
movl FUNC(%esp),%ecx /* no NULL function pointers */

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/i386/clone.S:
/* Save the function pointer as the zeroth argument.

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/m68k/clone.S:
movel 4(%sp), %a0 /* no NULL function pointers */

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/mips/clone.S:
beqz a0,error /* No NULL function pointers. */

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/mips/clone.S:
sw a0,0(a1) /* Save function pointer. */

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/mips/clone.S:
lw t9,0(sp) /* Function pointer. */

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/s390/clone.S:
ltr %r1,%r2 /* no NULL function pointers */

/usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/sh/clone.S:
/* save the function pointer as the 0th element */
 /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/mbsnrtowcs.c: /* Get the
structure with the function pointers. */
 /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/mbsrtowcs.c: /* Get the
structure with the function pointers. */
 /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/wcsnrtombs.c: /* Get the
structure with the function pointers. */
 /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/wcsrtombs.c: /* Get the
structure with the function pointers. */
 [root_at_localhost glibc-2.1.92]#
Received on Nov 20 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]