"So I could use this library as a starting point for a return-oriented programming chain, or ROP chain, in order to bypass DEP eventually," he said. To do so, he looked for imported modules that had not been compiled with those protections and found libxml2, a software library for parsing XML documents. To fully exploit this and achieve reliable code execution, on Windows at least, Lim had to bypass DEP and ASLR. Revising his previous payload generator to the integer fieldType ( I), he increased the size of fieldLength to greater than sal_Int32, and was able to launch a proof-of-concept attack that consisted of opening the file in OpenOffice Calc and causing a crash. "Next, memcpy copies a buffer of size nLen - which is an attacker-controlled value - into nValue without validating that nLen is smaller than or equal to 4." "Here, we can see a buffer nValue of size sal_Int32 (4 bytes) being instantiated for a field of type INTEGER," explained Lim in a blog post.
0 kommentar(er)
