[28786] in bugtraq
Re[2]: Can't Preventing exploitation with rebasing
daemon@ATHENA.MIT.EDU (dullien@gmx.de)
Wed Feb 5 15:40:56 2003
Date: Thu, 6 Feb 2003 20:14:03 +0100
From: dullien@gmx.de
Reply-To: dullien@gmx.de
Message-ID: <129716581.20030206201403@gmx.de>
To: bugtraq@gaza.halo.nu
In-Reply-To: <Pine.LNX.4.33.0302050338091.16527-100000@gaza.halo.nu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hey all,
bghn> DIGRESSION:
bghn> Dave Litchfield says you can call esp. I don't know Dave's
bghn> relationships with his registers but this doesn't work if I want
bghn> to get my eip on top of my shellcode. Always starts executing a
bghn> memory address for me. Maybe if I took esp out to dinner more
bghn> often then I could call it instead of having to jump on top of it.
bghn> Dave, any suggestions for the wine list?
bghn> END DIGRESSION.
Problem here is Intel ignoring it's own standards. The standard says
to first transfer control, then push the old EIP on the stack -- but
Intel CPU's since Pentium have done it the other way around, first
pushing EIP (and decreasing ESP), then setting EIP=ESP.
Cheers,
Thomas
