Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Exotic vulnerability

Exotic vulnerability

From: joxeankoret <joxeankoret_at_yahoo.es>
Date: Tue, 26 Jun 2007 11:23:28 -0700 (PDT)

Hi,

I'm trying to develop an exploit for a product in which I found a
vulnerability and that is the most "exotic" one I found. The following C
source recreates the vulnerability:

#include <stdio.h>

void func(int var)
{
        __asm__("mov (%eax), %eax");
        __asm__("call *%eax");

        return;
}

int main(int argc, char *argv[])
{
int i;

        printf("Value is 0x%x\n", atoi(argv[1]));
        i = atoi(argv[1]);
        func(i);
}

When the process calls the function "func" EAX has the value stored in the
variable "i", next the process makes the call "mov (%eax), %eax" and next
calls %eax. I have not be found a way to exploit it.

Any ideas in how can be exploited to execute arbitrary code? BTW, I'm trying
to exploit it under Linux x86.

Thanks!
Joxean Koret 

-- 
View this message in context: http://www.nabble.com/Exotic-vulnerability-tf3983982.html#a11311064
Sent from the Vulnerability Development mailing list archive at Nabble.com.
Received on Jun 27 2007
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos