Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: challenge

Re: challenge

From: Marco Ivaldi <raptor_at_0xdeadbeef.info>
Date: Tue, 14 Sep 2004 16:19:42 +0200 (CEST)

On Tue, 14 Sep 2004, Marco Ivaldi wrote:

> Finally, there's room for the .got entry substitution technique, for
> changing the second free() into a system() instead of using a shellcode
> -- but beware, 'cause usually system() drops privileges.

Hrm... first of all sorry for the auto-replies, even though this is not a
heavy traffic list ;P

I just want to point out that this exploitation technique is not going to
work with this kind of vulnerability, 'cause the unlink() macro needs to
write in the memory area pointed by the bk field of the overflowed chunk
(specifically, the macro corrupts 10 bytes, from 3th to 12th -- that's the
reason why we put a "jmp 0x0a" opcode followed by 10 bytes of junk at the
very beginning of the shellcode). Of course, libc is not a writable area.

Nevertheless, .got entry substitution may be an interesting option to
exploit format bugs along with some integer overflows, and to bypass some
security measures (openwall, stackguard). 

-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707
Received on Sep 14 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos