Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > vuln-dev > att-00380 (Request Expert securityfocus.com Support)
> On Wed, 20 Nov 2002 bukys@cs.rochester.edu wrote:
> 
> Hi,
> 
> Maybe with threads where one thread can smash other threads
> stack that way. Other thread then may jump into that loop
> too. :) Unfortunally infinite recursion will crash very soon,
> so you need special trick like the function arguments that
> are pushed on stack should contain adresses the other thread
> is then using for retaddr or saved ebp. Its asking for headache
> but I assume you can somehow do it with threads.
 
Interesting concept.

In theory this may be possible yes, but primarily for implementations that
don't use guard pages (for the approach I'm thinking of).  Linuxthreads in
glibc 2.2 uses guardpages, where as glibc 2.1 does not use guardpages.

It could be a PITA to get something working here in terms of actual
exploitation :-)

Anyway..
If anyone ever gets that to work (or even tries), I'll be impressed! :-)

--
Silvio

> Sebastian
> 
> > While a recursion-induced stack overflow can obviously lead to a
> > denial-of-service attack, are there any examples of it being turned
> > into an opportunity for remote execution?
> >
> > NOTE that I'm talking about a RECURSION stack overflow, NOT a buffer
> > overflow of some stack variables.
> >
> > Ideas would be very welcome.
> >
> > Liudvikas Bukys
> > University of Rochester
> >
> 
> --
> ~
> ~ perl self.pl
> ~ $_='print"\$_=\47$_\47;eval"';eval
> ~ krahmer@suse.de - SuSE Security Team
> ~
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library