* [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > > dl_make_stack_executable() will nicely return into user_input
> > > (at which time the stack has already become executable).
> >
> > wrong, _dl_make_stack_executable() will not return into user_input() in
> > your scenario, and your exploit will be aborted. Check the glibc sources
> > and the implementation of _dl_make_stack_executable() in particular.
>
> oh, you mean the invincible __check_caller(). one possibility:
>
> [...]
> [field1 and other locals replaced with shellcode]
> [value of __libc_stack_end]
> [some space for the local variables of dl_make_stack_executable and others]
> [saved EBP replaced with anything in this case]
> [saved EIP replaced with address of a 'pop eax'/'retn' sequence]
> [address of [value of __libc_stack_end], loads into eax]
> [address of dl_make_stack_executable()]
> [address of a suitable 'retn' insn in ld.so/libpthread.so]
> [user_input left in place, i.e., overflows end before this]
> [...]
still wrong. What you get this way is a nice, complicated NOP.
Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
