Re: Randomized Stack
From: Rik Bobbaers (Rik.Bobbaers_at_cc.kuleuven.be)
Date: 11/28/05
- Previous message: SanjayR: "Cause of MS SSL DoS attack"
- In reply to: Oldani Massimiliano: "Re: Randomized Stack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: vuln-dev@securityfocus.com Date: Mon, 28 Nov 2005 15:41:58 +0100
On Friday 25 November 2005 17:47, Oldani Massimiliano wrote:
> Stack random? only random stack? or with random mmap()/stack and
> no-exec workaround ?
> If you have only random stack and you can execute code in the stack,
> you can check for interesting pointer in the stack and chain a
> ret-into-ret until you get it
> or find somewhere jmp *%esp instruction and jump on your payload.
> Alternatively you can construct argument with ret-into-PLT strcpy()
> chain in some RW place and then use them.
an alternative (easier ;)): put a 64k nopsled in front of your shellcode and
"brute force" it ;)
-- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 Rik.Bobbaers@cc.kuleuven.be -=- http://harry.ulyssis.org Disclaimer: By sending an email to ANY of my addresses you are agreeing that: 1. I am by definition, "the intended recipient" 2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it on usenet. 3. I may take the contents as representing the views of your company. 4. This overrides any disclaimer or statement of confidentiality that may be included on your message. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
- Previous message: SanjayR: "Cause of MS SSL DoS attack"
- In reply to: Oldani Massimiliano: "Re: Randomized Stack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
