Hi Greg, On Sun, Mar 4, 2012 at 22:44, Greg Ewing <greg.ew...@canterbury.ac.nz> wrote: >> Segfaults (most of them) can generally be made into arbitrary code >> execution, > > Can you give an example of how this can be done?
You should find tons of documented examples of various attacks. It's not easy, but it's possible. For example, let's assume we can decref a object to 0 before its last usage, at address x. All you need is the skills and luck to arrange that the memory at x becomes occupied by a new bigger string object allocated at "x - small_number". This is enough to control exactly all the bytes that are put at address x and following, just by choosing the characters of the string. For example the bytes can be built to make address x look like a built-in function object, which you can call --- which will call an arbitrary chosen address in memory. This is enough to run arbitrary machine code and do anything. A bientôt, Armin. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
