> I've never tried what you're attempting to do but if you can > exploit the format string multiple times you could overwrite > a couple of instructions in the PLT and create a JMPL > instruction. It's possible to overwrite the PLT with a CALL instruction, writing only once. I did it on Solaris 2.7/sparc The easiest way to exploit a format string is to overwrite any return address (paddress) to point to your shellcode , but you can add few lines of code to your exploit and translate the address of your shellcode (value) to a sparc call opcode. In this way you are able to overwrite the PLT. if (p_plt) { value = ((value - paddress)/4) +0x40000000; printf ("Sparc Opcode:%x\n",value); } -- ==============[ CORE Security Technologies ]=============== Juliano Rizzo Security Consultant juliano.rizzoat_private Florida 141 | 2º cuerpo | 7º piso (C1005AAC) Buenos Aires | Argentina Tel/Fax : (54 11) 4878-CORE (2673) info.argentinaat_private | www.corest.com ===================================================== This eMail and any files attached to it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you have received this email in error, please notify Core Security Technologies by reply email or dial (54 11) 4878-CORE (2673), and delete the material from any computer. Thank you. --- for a personal reply use: Juliano Rizzo <juliano.rizzoat_private>
This archive was generated by hypermail 2b30 : Fri Dec 28 2001 - 08:56:33 PST