just a question: It seems ipodlinux doesn't use ARM mmu capabilities. but are you sure the default apple OS does same?
because if it uses MMU, your address (0x22000XXX) seems to be PHYSICAL address, and not LINEAR address. the code (and shell code) will manipulate linear addresses if it is the case. + serpilliere On Tue, Feb 17, 2009 at 06:25:01PM +0100, 3mpty wrote: > 2009/2/17, Bahattin TOZYILMAZ <[email protected]>: > > Can we code addresses indirectly, create it on a register then use it? > > It is easy on an x86 but, can it be done on an ARM? > > Yes we can, but not to redirect the flow execution to the shellcode. > > > And another question, how will we trigger the shell code? > > If it is a stack based overflow and if the stack isn't marked as non > exec, we write the shellcode address (more or less, but we have a > small range of valid addresses (the NOPs)) on the stack, overwriting > some return address of some function with it. > (At least this is what I understand from the info given by The Seven > in the previous email). In this way, after a LDR of PC from the stack, > instead of the instruction after the function call we'll have our > shellcode. > > Also, things like return-to-libc doesn't seem to be feasible on > iPod... at least with a black box approach. > But we should just try. > > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org > _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
