[Code-Crunchers] everyone seen this format string thingie onm bugtraq?
Gil Dabah
arkon at ragestorm.net
Sun Oct 22 06:09:30 CDT 2006
Well, .DTORS is only an example,
the new thing in his approach is that he copies the whole shellcode to
unused memory, instead of redirecting return address.
The problem with his attack is that the format string buffer should be long
enough to contain his code as well, but it's ok most of the times, probably.
On 10/22/06, Izik <xorninja at gmail.com> wrote:
>
> Just did.
>
> He basically converted that format string into a heap-alike attack.
>
> Overwriting the .DTORS in order to execution and using the fact that VA
> patch at this point does not randomize anything but the stack page and
> libraries mapping, is whats makes this attack works. If the .DTORS would've
> being randomized every time - it would've useless.
>
> P.S.
>
> Pinky is down to 288 bytes, a post on this matter will be issued later
> today.
>
> Itzik
>
> On 10/22/06, Gadi Evron < ge at linuxbox.org> wrote:
> >
> > http://www.securityfocus.com/archive/1/449129/30/0/threaded
> >
> > _______________________________________________
> > Code-Crunchers mailing list
> > Code-Crunchers at whitestar.linuxbox.org
> > http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
> >
>
> --
> Thank you, your honor. With God's help I'll conquer this terrible
> affliction.
> -- Mark 'Rentboy' Renton / Trainspotting
>
> _______________________________________________
> Code-Crunchers mailing list
> Code-Crunchers at whitestar.linuxbox.org
> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://whitestar.linuxbox.org/pipermail/code-crunchers/attachments/20061022/fc3fac40/attachment.htm
More information about the Code-Crunchers
mailing list