Gera's Insecure Programing abo7

From: sin (sin_at_insolence.net)
Date: 05/29/03

Next message: Phrack Magazine: "Call for Papers (#61)"

Previous message: 3APA3A: "Re[2]: mirc32 6.0x crash when resolving dns."
In reply to: Janus N.: "Re: [Vuln-dev Challenge] Challenge #2"
Next in thread: Joel Eriksson: "Re: [Vuln-dev Challenge] Challenge #2 (return-to-libc)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 29 May 2003 10:26:52 -0500 (CDT)
To: vuln-dev@securityfocus.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi.

I'm working on Gera's insecure programing stuff, currently on abo7; as i
understand it, this is unexploitable on most (all?) current platforms
because of the order the sections are linked in?
the direct problem here being that .eh_frame and .dynamic directly follow
.data, so that i cant ever get control, because I can't overwrite useful
(to me) data without overwriting useful (to it) data.
So the thought that crosses my mind is why not just copy what is in
.eh_frame and .dynamic and .ctors until i reach .dtors; looking through
memory i see .dynamic is mostly 0 filled memory, which kinda; well it
screws that idea.
So here are my questions:

1) what exactly is .dynamic used for? I mean obviously its something to do
with dynamic data of some sort, I assume libc symbol stuff? What I am more
asking is, where can I find more information on it; what exactly belongs
where in .dynamic? (this question applies to really all sections; where
can i find specific information pertaining to like the plt, rplt, etc; ive
read some about them, and i have a working idea of what they do, just
looking for more details)

2) there is no way i can just overwrite .dynamic and change the 0's to say
01's is there?

3) how far back into gcc history do i need to dig to get a version that
assembles the sections in a different order. (is this a gcc thing? an as
thing? or a glibc thing? [i realize this isnt gnu specific])

thanks
j

"Once set in motion, the process of questioning could come to but one end,
the erosion of conviction and certitude and collapse into despair" (The
Specter of the Absurd, 1988).

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+1ia+oEcehqzkkpgRAkTRAJ4neEKtwBERz3sGhJ5rsgNvrJWusQCgq+2X
pmxZSAU8vxng1zY9vz6SHCU=
=G2dS
-----END PGP SIGNATURE-----

Next message: Phrack Magazine: "Call for Papers (#61)"

Previous message: 3APA3A: "Re[2]: mirc32 6.0x crash when resolving dns."
In reply to: Janus N.: "Re: [Vuln-dev Challenge] Challenge #2"
Next in thread: Joel Eriksson: "Re: [Vuln-dev Challenge] Challenge #2 (return-to-libc)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]