[17470] in bugtraq
Re: Future of buffer overflows ?
daemon@ATHENA.MIT.EDU (tseeker@PROBEMAIL.COM)
Thu Nov 2 13:47:37 2000
Message-Id: <3a013e61.4b.0@probemail.com>
Date: Thu, 2 Nov 2000 04:13:53 -600
Reply-To: tseeker@probemail.com
From: tseeker@PROBEMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> Feed a return address and arguments so the RET "calls" memcpy >(),
> and use this memcpy() to move the buffer to some place in
> memory where
> you can jump latter. Then tell memcpy() to return to this new > place,clarifying:
memcpy needs an argument specifying the amount of bytes to
copy. It will contain 0, so you will have problems with putting
it on the stack. strcpy() is a better choice. This technique
was first described (some years ago) in "Defeating Solar
Designer non-executable stack patch" by Nergal
http://www.securityfocus.com/archive/1/8470
check it out, the second method can be used to bypass Pax
protection as well. It additionally deals with the case when
libc is mapped into a region with address which begins with NULL.
> The second option... let's call it "pop&ret"
That is pretty cool.
The Seeker
ProbeMail / http://www.probemail.com
