Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Randomized Stack

Re: Randomized Stack

From: Rik Bobbaers <Rik.Bobbaers_at_cc.kuleuven.be>
Date: Mon, 28 Nov 2005 15:41:58 +0100

On Friday 25 November 2005 17:47, Oldani Massimiliano wrote:

> Stack random? only random stack? or with random mmap()/stack and
> no-exec workaround ?
> If you have only random stack and you can execute code in the stack,
> you can check for interesting pointer in the stack and chain a
> ret-into-ret until you get it
> or find somewhere jmp *%esp instruction and jump on your payload.
> Alternatively you can construct argument with ret-into-PLT strcpy()
> chain in some RW place and then use them.

an alternative (easier ;)): put a 64k nopsled in front of your shellcode and
"brute force" it ;) 

-- 
harry
aka Rik Bobbaers
K.U.Leuven - LUDIT          -=- Tel: +32 485 52 71 50
Rik.Bobbaers@cc.kuleuven.be -=- http://harry.ulyssis.org
Disclaimer:
By sending an email to ANY of my addresses you are agreeing that:
  1. I am by definition, "the intended recipient"
  2. All information in the email is mine to do with as I see fit and make 
such financial profit, political mileage, or good joke as it lends itself to. 
In particular, I may quote it on usenet.
  3. I may take the contents as representing the views of your company.
  4. This overrides any disclaimer or statement of confidentiality that may be 
included on your message. 
Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Received on Nov 28 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos