|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Dave Korn (dave.korn
artimi.com)
Date: Wed Mar 14 2007 - 09:48:23 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ forgot to send this reply last week, just wanted to wrap up the thread]
On 06 March 2007 19:35, Brad Spengler wrote:
>> So why doesn't linux do like 'doze does, and permanently map a guard
>> page at 0x0 in all user-spaces?
>
> What version of Windows are you using?
Anything except the '9x series.
> Maybe you're getting confused
> with the behavior that giving a NULL address as a hint to any
> allocation/mapping function is a special case within the OS to select
> its own address.
Nope, I'm getting confused with the behaviour that 'doze doesn't map a guard
page, it just leaves the address *un*mapped (in both cases, to protect against
NULL pointer derefs in user mode). Shoulda checked before I posted!
> Luckily though, the address passed in is rounded down
> internally, so giving an address of 1 will let you allocate at the 0
> address.
>
> Here's some code to execute as an unprivileged user:
Couldn't get that to compile immediately, but I'll take your word for it.
> it'll verify a RWX allocation (0x40) and that the byte at 0x00000000
> contains 0x10. If there were a permanently mapped guard page at 0,
> stuff like ntvdm wouldn't work. These bugs are exploitable in Windows.
Clearly so.
cheers,
DaveK
--
Can't think of a witty .sigline today....
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]