Twitter | Pretraživanje | |
Saar Amar
In those CET times: It's possible to return in unwinding to any address in the SSP, causing a "type confusion" between stack frames ;) I really like the different variants of this concept :) Type confusions are on fire! (stack frames, objc for PAC bypass)
Reply Retweet Označi sa "sviđa mi se" More
Elazar Leibovich 21. sij
Odgovor korisniku/ci @AmarSaar
Can you explain? I'm not sure what do you mean "type confusion" in this context. CET contains only return address that has been called? Do you mean somehow ret32 for a 64 bit ssp?
Reply Retweet Označi sa "sviđa mi se"
Saar Amar 21. sij
Odgovor korisniku/ci @elazarl
No. You can return into an address which the original flow didn't intend, but you control the registers :)
Reply Retweet Označi sa "sviđa mi se"
Yarden Shafir 21. sij
Odgovor korisniku/ci @AmarSaar
You beat me to it! Planned to PoC this at some point and never got the time. Would love to see a nice sample of this if you have one 😊
Reply Retweet Označi sa "sviđa mi se"
Deepak 1. velj
Odgovor korisniku/ci @AmarSaar @aionescu
You will need either 1) incssp ending in ret/jmp/call or 2) free rstor token. SSP register can’t be easily modified. Even incssp can’t run over more than a page in one go. Not saying not doable (if there is crappy implementation) but it puts good amount of constraints on adv
Reply Retweet Označi sa "sviđa mi se"
Deepak 1. velj
Odgovor korisniku/ci @AmarSaar @aionescu
Plus even if you get to a free restore token in program address space, you will need usable rstorssp gadget (rstorssp ending in Ret/jmp/call). Plus opcodes of all SSP management instructions are minimum 4 bytes. And thus probability is less.
Reply Retweet Označi sa "sviđa mi se"
Kunal Mehta 22. sij
Odgovor korisniku/ci @AmarSaar
Would be interesting to see how this work
Reply Retweet Označi sa "sviđa mi se"