[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Buffer Overflows



In a previous mail I said:

Another example of "Closed source OS" (quotes because you can get some of the sources for solaris, at least there was an open source version of solaris 8, for the source sharing community, or something like that).

	And in response to this warning3 sent me an email saying that it's not possible to use the "jmp esp" trick on solaris/sparc, what is absolutely correct, because "esp" gets corrupted, as well as all the other registers, when you overwrite the saved register window.
	In our cases, when we used the "jmp esp" trick, it was not a jmp esp, but rather a jmp %gx, and the global was, rather unexpectedly, pointing to our code. I don't think this is going to be generic
  Other cases where we use the "address database" in solaris is for the addresses of exitfns (atexit() function pointeres), and libc's PLT. The trick of using atexit() function pointers was pretty reliable for us, however, to exploit it you have to be able to force an exit() in the application, which is not always the case.

	Of course, the original "jmp esp" can be used on solaris/i386, but nobody really cares much about that.

	gera