Re: problem in bypassing stack randomization ("call *%edx" technique)
- From: "Loptr Chaote" <loptr.chaote@xxxxxxxxx>
- Date: Fri, 5 Jan 2007 13:41:17 -0500
Modifying edx is theoretically possible via push/pop instructions..
But finding the needed opcode combination in linux-gate.so.1 is
(unfortunately) not possible.
$ ./got_opcode "pop edx" "call .edx"
[*] Searching for sequence 5a ff 12
[*] No matching opcodes were found in kernel.
On 20 Sep 2006 16:03:14 -0000, purelysp4m@xxxxxxxxxxx
<purelysp4m@xxxxxxxxxxx> wrote:
The technique is explained in greater detail at http://milw0rm.org/papers/55 , but unfortunately it only talks about JMP *%esp
By playing around a bit, it looks like %edx always points to the command-line argument after the one you pass to strcpy(). That is, if you do strcpy(vuln,argv[73]), %edx will point to argv[74].
If you use strncpy, no registers will point to any of your command-line arguments.
It is, to my knowledge, not possible to directly edit %edx. I'd suggest using gdb to find the contents of the registers when the program crashes, and then figure out how to control the data at one of those locations :)
- Follow-Ups:
- Re: problem in bypassing stack randomization ("call *%edx" technique)
- From: Sebastian Krahmer
- Re: problem in bypassing stack randomization ("call *%edx" technique)
- Prev by Date: .Net Debug
- Next by Date: Re: .Net Debug
- Previous by thread: .Net Debug
- Next by thread: Re: problem in bypassing stack randomization ("call *%edx" technique)
- Index(es):
