In those CET times: It's possible to return in unwinding to any address in the SSP, causing a "type confusion" between stack frames ;) I really like the different variants of this concept https://twitter.com/AmarSaar/status/1211565530286632960 …:) Type confusions are on fire! (stack frames, objc for PAC bypass)https://twitter.com/yarden_shafir/status/1217728223355817986 …
-
-
You will need either 1) incssp ending in ret/jmp/call or 2) free rstor token. SSP register can’t be easily modified. Even incssp can’t run over more than a page in one go. Not saying not doable (if there is crappy implementation) but it puts good amount of constraints on adv
1 reply 0 proslijeđenih tweetova 1 korisnik označava da mu se sviđa
Plus even if you get to a free restore token in program address space, you will need usable rstorssp gadget (rstorssp ending in Ret/jmp/call). Plus opcodes of all SSP management instructions are minimum 4 bytes. And thus probability is less.
19:23 - 31. sij 2020.
0 replies
0 proslijeđenih tweetova
1 korisnik označava da mu se sviđa
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.