|
Vulnerability Development
mailing list archives
Re: Buffer Overflows
From: Gerardo Richarte <gera () corest com>
Date: Thu, 01 Apr 2004 11:36:56 -0300
In a previous mail I said:
Another example of "Closed source OS" (quotes because you can get
some of the sources for solaris, at least there was an open source
version of solaris 8, for the source sharing community, or something
like that).
And in response to this warning3 sent me an email saying that it's not possible to use the "jmp esp" trick on
solaris/sparc, what is absolutely correct, because "esp" gets corrupted, as well as all the other registers, when you overwrite
the saved register window.
In our cases, when we used the "jmp esp" trick, it was not a jmp esp, but rather a jmp %gx, and the global was,
rather unexpectedly, pointing to our code. I don't think this is going to be generic
Other cases where we use the "address database" in solaris is for the addresses of exitfns (atexit() function
pointeres), and libc's PLT. The trick of using atexit() function pointers was pretty reliable for us, however, to exploit it you
have to be able to force an exit() in the application, which is not always the case.
Of course, the original "jmp esp" can be used on solaris/i386, but nobody really cares much about that.
gera
 By Date 
By Thread
Current thread:
- Re: Buffer Overflows Gerardo Richarte (Apr 01)
|
Intro
