OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: No-Exec Stack Smashing 101
From: Michael H. Warfield (mhwWITTSEND.COM)
Date: Wed Apr 26 2000 - 06:05:45 CDT

On Tue, Apr 25, 2000 at 01:58:00PM -0700, Granquist, Lamont wrote:
> Okay, lets say that you've got:

> 1. non-exec stack
> 2. libc remapped to location with 0x00 in it
> 3. statically linked executable, so no PLT functions

> And assume the bug is a simple buffer overflow in a string function which
> terminates on a 0x00 (i.e. ignore for the moment ways around a 0x00
> "canary")

> How can you get around that? Is there a more general way around non-exec
> stacks than return-into-PLT exploits?

        Find a location in the code which does not have a 0x00 in the
address and which CALLS the library function and return to the address
of that call instruction?

        Mike 

--
 Michael H. Warfield    |  (770) 985-6132   |  mhwWittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!