I'v read that to make a successful return to lib-c attack, the attacker should store the address of the command (for example "bin/sh") in stack exactly after the return address to 'system' function (for example). so as 'system()' function reads that address as its 'parameter' and executes that command. but now after disassembling a program which calls system() I noticed that it doesn't use the stack to get the address of that string ("bin/sh"). Instead the address is stored in EDI or RDI registers. As long as the attacker can't access the registers how is it possible to perform such attack?
Aucun commentaire:
Enregistrer un commentaire