Anibal Ambertin wrote:
> > in the case of sigaction the signum was set to 10 or SIGUSR1 and all other
> > arguments were overwritten with 0x41414141 I was wondering if this
> > could cause any added risk to the x86 versions of apache... maybe some
> > signaling ninja would help?
> I don't think this could be usefull for an attacker, since the only
> thing you can do is to change the sigaction parameters, which doesn't imply
> any risk at all (unless you can write the members of the sigaction structure
> and make it go to another internal function -which should be part of the
> vulnerable program, in this case, apache-).
If you control the parameters, then you can change the pointer to the sigaction struct,
point it to somewhere in memory which you can controll, create your own struct there
with .sa_handler (first four bytes in the struct) pointed to your shellcode.
I did this struct stuff in my (old) splitvt exploit.
--
void sighandler() { printf("Called!\n"); exit(0); }
int main() {
int *a = 0x11223344;
char buf[] = "XXXXAAAAAAAAAAAA";
long *p = (long *)buf;
*p = &sighandler;
sigaction(11, buf, buf);
*a = 5; /* crash */
}
--
(NOTE: you might want to use another value then aaaa/aaaa for the
other parameters :P).
Ofcourse I could have misunderstood what exactly you KF controlls,
Cya,
Syzop.
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 12:36:31 PDT