-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi. I'm working on Gera's insecure programing stuff, currently on abo7; as i understand it, this is unexploitable on most (all?) current platforms because of the order the sections are linked in? the direct problem here being that .eh_frame and .dynamic directly follow .data, so that i cant ever get control, because I can't overwrite useful (to me) data without overwriting useful (to it) data. So the thought that crosses my mind is why not just copy what is in .eh_frame and .dynamic and .ctors until i reach .dtors; looking through memory i see .dynamic is mostly 0 filled memory, which kinda; well it screws that idea. So here are my questions: 1) what exactly is .dynamic used for? I mean obviously its something to do with dynamic data of some sort, I assume libc symbol stuff? What I am more asking is, where can I find more information on it; what exactly belongs where in .dynamic? (this question applies to really all sections; where can i find specific information pertaining to like the plt, rplt, etc; ive read some about them, and i have a working idea of what they do, just looking for more details) 2) there is no way i can just overwrite .dynamic and change the 0's to say 01's is there? 3) how far back into gcc history do i need to dig to get a version that assembles the sections in a different order. (is this a gcc thing? an as thing? or a glibc thing? [i realize this isnt gnu specific]) thanks j "Once set in motion, the process of questioning could come to but one end, the erosion of conviction and certitude and collapse into despair" (The Specter of the Absurd, 1988). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+1ia+oEcehqzkkpgRAkTRAJ4neEKtwBERz3sGhJ5rsgNvrJWusQCgq+2X pmxZSAU8vxng1zY9vz6SHCU= =G2dS -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri May 30 2003 - 13:53:28 PDT