Mariusz Woloszyn wrote: > Local variables and parameters on the stack (beyond RET), specialy > pointers may be sufficient to copy shellcode and pass execution to any > other rwx segments. > No wx segments means perfect security. > It's time to fix the hardware. But... you still some how need to change the EIP to execute arbitrary code (injected or existing). I did a simple "biggrep" of a simple "unction [Pp]ointer" pattern on the Glibc 2.1.92 and found some hints about atexit and malloc hooks and a few other interesting spots. Of course, there are more... Hung. ----------------------- [root@localhost glibc-2.1.92]# biggrep "unction [Pp]ointer" /usr/src/redhat/BUILD/glibc-2.1.92/ChangeLog: the address of a symbol so function pointers are handled properly. /usr/src/redhat/BUILD/glibc-2.1.92/ChangeLog: * elf/rtld.c (_dl_start): Get the function pointer return address /usr/src/redhat/BUILD/glibc-2.1.92/ChangeLog.8: * argp/argp.h: Use __PMT instead of __P for function pointer. /usr/src/redhat/BUILD/glibc-2.1.92/elf/elf.h: void (*a_fcn) (void); /* Function pointer value */ /usr/src/redhat/BUILD/glibc-2.1.92/elf/elf.h: void (*a_fcn) (void); /* Function pointer value */ /usr/src/redhat/BUILD/glibc-2.1.92/elf/elf.h:#define R_PARISC_LTOFF_FPTR32 57 /* 32 bits LT-rel. function pointer. */ /usr/src/redhat/BUILD/glibc-2.1.92/elf/vismain.c: /* Function pointers: for functions which are marked local and for /usr/src/redhat/BUILD/glibc-2.1.92/elf/vismain.c: which definitions are available all function pointers must be /usr/src/redhat/BUILD/glibc-2.1.92/libio/libio.h:/* The structure with the cookie function pointers. */ /usr/src/redhat/BUILD/glibc-2.1.92/linuxthreads/ChangeLog: * sysdeps/pthread/pthread.h: Use __PMT not __P for function pointers. /usr/src/redhat/BUILD/glibc-2.1.92/malloc/malloc.c: function pointers) in a system dependent, opaque data structure. /usr/src/redhat/BUILD/glibc-2.1.92/malloc/malloc.c: `Hook' function pointers are never saved or restored by these /usr/src/redhat/BUILD/glibc-2.1.92/manual/libc.info-36: a function pointer. *Note Basic Signal Handling::. /usr/src/redhat/BUILD/glibc-2.1.92/manual/signal.texi:@code{SIG_IGN}, or a function pointer. @xref{Basic Signal Handling}. /usr/src/redhat/BUILD/glibc-2.1.92/nss/nsswitch.c: /* Remember function pointer for later calls. Even if null, we /usr/src/redhat/BUILD/glibc-2.1.92/nss/nsswitch.h:/* For mapping a function name to a function pointer. It is known in /usr/src/redhat/BUILD/glibc-2.1.92/nss/nss_db/dummy-db.h: we're only interested in the function pointers, since that's the a1 Contains a function pointer to be registered with `atexit'. /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/i386/elf/start.S: %edx Contains a function pointer to be registered with `atexit'. %a1 Contains a function pointer to be registered with `atexit'. /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/mips/elf/start.S: v0 ($2) Contains a function pointer to be registered with `atexit'. /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/powerpc/dl-start.S:/* Pass a termination function pointer (in this case _dl_fini) in r7. */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/s390/elf/start.S: %r14 Contains a function pointer to be registered with `atexit'. /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/sh/elf/start.S: r4 Contains a function pointer to be registered with `atexit'. /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/alpha/clone.S: beq a0,$error /* no NULL function pointers */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/arm/clone.S: @ save the function pointer as the 0th element /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/i386/clone.S: movl FUNC(%esp),%ecx /* no NULL function pointers */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/i386/clone.S: /* Save the function pointer as the zeroth argument. /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/m68k/clone.S: movel 4(%sp), %a0 /* no NULL function pointers */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/mips/clone.S: beqz a0,error /* No NULL function pointers. */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/mips/clone.S: sw a0,0(a1) /* Save function pointer. */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/mips/clone.S: lw t9,0(sp) /* Function pointer. */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/s390/clone.S: ltr %r1,%r2 /* no NULL function pointers */ /usr/src/redhat/BUILD/glibc-2.1.92/sysdeps/unix/sysv/linux/sh/clone.S: /* save the function pointer as the 0th element */ /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/mbsnrtowcs.c: /* Get the structure with the function pointers. */ /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/mbsrtowcs.c: /* Get the structure with the function pointers. */ /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/wcsnrtombs.c: /* Get the structure with the function pointers. */ /usr/src/redhat/BUILD/glibc-2.1.92/wcsmbs/wcsrtombs.c: /* Get the structure with the function pointers. */ [root@localhost glibc-2.1.92]#
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 08:29:24 PST