Vuln Dev
Re: problem in bypassing stack randomization ("call *%edx" technique) Sep 20 2006 04:03PM
purelysp4m hotmail com (1 replies)
The technique is explained in greater detail at http://milw0rm.org/papers/55 , but unfortunately it only talks about JMP *%esp

By playing around a bit, it looks like %edx always points to the command-line argument after the one you pass to strcpy(). That is, if you do strcpy(vuln,argv[73]), %edx will point to argv[74].

If you use strncpy, no registers will point to any of your command-line arguments.

It is, to my knowledge, not possible to directly edit %edx. I'd suggest using gdb to find the contents of the registers when the program crashes, and then figure out how to control the data at one of those locations :)

[ reply ]
Re: problem in bypassing stack randomization ("call *%edx" technique) Jan 05 2007 06:41PM
Loptr Chaote (loptr chaote gmail com) (1 replies)
Re: problem in bypassing stack randomization ("call *%edx" technique) Jan 08 2007 08:19AM
Sebastian Krahmer (krahmer suse de)


 

Privacy Statement
Copyright 2010, SecurityFocus