[18063] in bugtraq
Using function supplied parameters in buffer overflow
daemon@ATHENA.MIT.EDU (Pauli Ojanpera)
Wed Dec 13 22:02:39 2000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-Id: <F266e0yAEWopcnvy3Jd0000ed93@hotmail.com>
Date: Wed, 13 Dec 2000 11:53:39 +0200
Reply-To: Pauli Ojanpera <pauli_ojanpera@HOTMAIL.COM>
From: Pauli Ojanpera <pauli_ojanpera@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
I recently noticed, that in the recent WinAmp .M3U playlist parsing
error I found, you can use a pointer already in stack. Dunno if
this is a known concept.
The faulty function is supplied a pointer which is then inside
the function set to point at the beginning of the buffer that
gets overflowed during the function execution.
Stack:
[bufptr as a parameter]
[return address]
[saved frame pointer]
[buffer]
So you can exploit it by overflowing the return address with
an address that points to another ret instruction that
subsequently fetches bufptr off the stack and jumps to it.
You can also roam the stack upwards to find other suitable
pointer in there. You just have to use a row of pointers to
a ret instruction to get esp value to point upper to the stack.
[buffer][ptr-to-ret][ptr-to-ret][ptr-to-ret][*magic-ret-val-here-already-in-stack*]
You can also point the execution to the instructions preceding
a ret, to affect other register values. For example, to the
usual instruction preceding a "ret". To code like this:
pop ebp
ret
-- Too bad I'm not too good at explaining things. --
-- Thanks for the attention. --
_____________________________________________________________________________________
Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com
