Gera's Insecure Programing abo7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi.

I'm working on Gera's insecure programing stuff, currently on abo7; as i understand it, this is unexploitable on most (all?) current platforms because of the order the sections are linked in? the direct problem here being that .eh_frame and .dynamic directly follow .data, so that i cant ever get control, because I can't overwrite useful (to me) data without overwriting useful (to it) data. So the thought that crosses my mind is why not just copy what is in .eh_frame and .dynamic and .ctors until i reach .dtors; looking through memory i see .dynamic is mostly 0 filled memory, which kinda; well it screws that idea.
So here are my questions:

1. what exactly is .dynamic used for? I mean obviously its something to do with dynamic data of some sort, I assume libc symbol stuff? What I am more asking is, where can I find more information on it; what exactly belongs where in .dynamic? (this question applies to really all sections; where can i find specific information pertaining to like the plt, rplt, etc; ive read some about them, and i have a working idea of what they do, just looking for more details)
2. there is no way i can just overwrite .dynamic and change the 0's to say 01's is there?
3. how far back into gcc history do i need to dig to get a version that assembles the sections in a different order. (is this a gcc thing? an as thing? or a glibc thing? [i realize this isnt gnu specific])

thanks
j

"Once set in motion, the process of questioning could come to but one end, the erosion of conviction and certitude and collapse into despair" (The Specter of the Absurd, 1988).

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+1ia+oEcehqzkkpgRAkTRAJ4neEKtwBERz3sGhJ5rsgNvrJWusQCgq+2X pmxZSAU8vxng1zY9vz6SHCU=
=G2dS
-----END PGP SIGNATURE-----
Received on Fri May 30 16:58:57 2003