Jonas Yorg wrote:
> So I heard somewhere once that supposedly a buffer-overflowing program
> can jump back into the code it's exploiting in order to call some
> system call (after setting up the appropriate stack/register
> environment I would suppose). I think that whoever I read heard from
> was maybe thinking of return to libc type exploits where you jump to
> some libc wrapper for a system call. Anyway my question is this (for
> both linux and windows, but mainly linux for now): Is it possible to
> directly jump back to code in the program you exploited?
Yes. If you're willing to read an academic research paper, this has
exactly what you seem to be looking for:
Automating Mimicry Attacks Using Static Binary Analysis
Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and
Giovanni Vigna
In Proceedings of the 14th Usenix Security Symposium. August 2005.
http://www.auto.tuwien.ac.at/~chris/research/doc/usenix05_attack.pdf
Attacks described in the paper execute all system calls from application
code, not from injected code, to evade intrusion detection systems that
verify the origin of system calls. The paper also explains how the
attacker can regain control after calling into the application to
execute a system call.
I am not affiliated with these authors; I just think it's nice work.
Jon
Received on Jun 16 2005
Intro
