On Tue, 1 Apr 2003, Alexander Cuttergo wrote: > The only way to fool prescan() checks seems to be to pass to it a > string "\\\377\\\377\\\377\\\377....", that is, backslash followed by > character 255. I already talked to Alexander privately, in general, no, this is not the only sequence that can be used, although the set of characters is indeed quite limited, making the ability to suceed somewhat dependant on the actual compiler output if you want to overwrite eip bytes. But you don't have to - you also have frame pointer and some local pointers and other variables past pvpbuf in almost every location where prescan() is called. > though ;) ). But then the overwritten saved base pointer would point > within pvpbuf, which contains only backslashes, which is not useful. pvpbuf does not have to contain only backslashes until pvpbuf is almost full. So yes, you can likely overwrite frame pointer to point to a user-supplied data. > 3) we can overwrite two least bytes of saved base pointer with 0x005c. You can overwrite any number of eip and ebp bytes with several combinations, and it is sometimes possible to point to an interesting code or stack location. Technologies like stack randomization might make it easier to achieve a good result by overwriting more than two bytes. I have seen two exploits so far, one of them fully functional, but local - which, of course, I can't prove or discuss, really, but I do believe it's not that much of an issue to exploit this. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-04-04 09:05 --
This archive was generated by hypermail 2b30 : Fri Apr 04 2003 - 12:59:12 PST