Re: problem in bypassing stack randomization ("call *%edx" technique)

From: purelysp4m@xxxxxxxxxxx
Date: 20 Sep 2006 16:03:14 -0000

The technique is explained in greater detail at http://milw0rm.org/papers/55 , but unfortunately it only talks about JMP *%esp

By playing around a bit, it looks like %edx always points to the command-line argument after the one you pass to strcpy(). That is, if you do strcpy(vuln,argv[73]), %edx will point to argv[74].
If you use strncpy, no registers will point to any of your command-line arguments.

It is, to my knowledge, not possible to directly edit %edx. I'd suggest using gdb to find the contents of the registers when the program crashes, and then figure out how to control the data at one of those locations :)

Prev by Date: PAKCON III: Call for Papers (CfP 2006)
Next by Date: bypassing randomized stack using linux-gate.so.1
Previous by thread: PAKCON III: Call for Papers (CfP 2006)
Next by thread: bypassing randomized stack using linux-gate.so.1
Index(es):
- Date
- Thread

Relevant Pages

Re: Stack Interface between x86 Assembler & Forth -- technique when running out of unpro
... A little poking of the other registers suggest that edx, ... packed strings into ebx, ecx, edx respectively. ... push ebx \ preserve TOS ...
(comp.lang.forth)
Re: Stack Interface between x86 Assembler & Forth -- technique when running out of unpro
... EDX, EDI, ESI are not used much by the x86 instructions. ... something like EBX being used for TOS. ... for interrupt routines to mess up registers. ... The only way I could think to do it was to save edx into the unused part of the stack where I could then later fetch it from. ...
(comp.lang.forth)
Re: LEA instruction
... >> Actually it consumes an additional register, ... The processor has a large number of registers internally, ... constantly mapping the aliases you program with (eax, ecx, edx, ebx, esp, ... int *ary; ...
(comp.lang.asm.x86)
Re: OK to use MMX registers as temporary storage?
... I have occasionally used either MMX ... registers during the development cycle of an algo and it has never ... Do the speed compare between integer to MMX registers against MOV REG ... mov _edx, edx ...
(comp.lang.asm.x86)
Re: how to return the carry flag?
... know which registers are used. ... "mov" operations using register arguments? ... _fast call parameters are (eax, edx, ecx, stack...) ...
(borland.public.delphi.language.basm)