[25837] in bugtraq
Re: Windows Buffer Overflows
daemon@ATHENA.MIT.EDU (dullien@gmx.de)
Mon Jun 17 21:00:56 2002
Date: Mon, 17 Jun 2002 14:02:17 -0700
From: dullien@gmx.de
Reply-To: dullien@gmx.de
Message-ID: <105953090.20020617140217@gmx.de>
To: "Brett Moore" <brett@softwarecreations.co.nz>
Cc: bugtraq@securityfocus.com
In-Reply-To: <001001c21502$a18bb240$6301a8c0@visp>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Hey Brett,
BM> But because we can write to multiple addresses an exploit can work like
BM> this,
BM> * locate the static memory address for the exception handler
BM> * locate another static memory address
BM> * overwrite the exception handler with the second address
BM> * overwrite the second address with the required instructions for our
BM> relative jmp
BM> * cause an exception
I am not sure if what Halvar Flake spoke about at Blackhat Amsterdam
last Fall was the same issue, but it sounds a bit similar.
http://www.blackhat.com/presentations/bh-europe-01/halvar-flake/halvar.ppt,
in the second half there are a few slides on exploitation reliability.
Cheers,
Thomas Dullien
--
Mit freundlichen Grüssen
dullien@gmx.de mailto:dullien@gmx.de
