Re: Windows Buffer Overflows

From: dullienat_private
Date: Mon Jun 17 2002 - 14:02:17 PDT

Next message: Rich Henning: "Re: ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS"

Previous message: Mark Baldwin: "Re: Solaris 8 Screensaver Issue?"
In reply to: Brett Moore: "Windows Buffer Overflows"
Next in thread: Brett Moore: "Windows Buffer Overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey Brett,

BM> But because we can write to multiple addresses an exploit can work like
BM> this,
BM>  * locate the static memory address for the exception handler
BM>  * locate another static memory address
BM>  * overwrite the exception handler with the second address
BM>  * overwrite the second address with the required instructions for our
BM> relative jmp
BM>  * cause an exception

I am not sure if what Halvar Flake spoke about at Blackhat Amsterdam
last Fall was the same issue, but it sounds a bit similar.
http://www.blackhat.com/presentations/bh-europe-01/halvar-flake/halvar.ppt,
in the second half there are a few slides on exploitation reliability.

Cheers,
Thomas Dullien


-- 
Mit freundlichen Grüssen
dullienat_private                            mailto:dullienat_private

Next message: Rich Henning: "Re: ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS"
Previous message: Mark Baldwin: "Re: Solaris 8 Screensaver Issue?"
In reply to: Brett Moore: "Windows Buffer Overflows"
Next in thread: Brett Moore: "Windows Buffer Overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 17:57:28 PDT