Canaries and format strings
 Dennis Elser (dennis) <dennis backtrace de> |
Sunday, May 27 2007 16:20.14 CDT |
This code is found in a commercial, yet discontinued kernel-mode debugger! ;)
https://www.openrce.org/repositories/users/dennis/sice.gif
The implementation of debugger extensions must have been done in a rush:
1. sprintf is used instead of snprintf
2. a static buffer with a static size is used
3. a constant canary value is used instead of a (pseudo)random one
4. the return address is stored AFTER the static and overflowable buffer
5. the developer of a debugger extension can pass his own format string specifier to that function
Sample PoC can be found here.
Although this is a 0day, it has not been published since debugger extensions run in r0 environment anyway.
Fear the BADB0B0 !
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |