In those CET times: It's possible to return in unwinding to any address in the SSP, causing a "type confusion" between stack frames ;) I really like the different variants of this concept https://twitter.com/AmarSaar/status/1211565530286632960 …:) Type confusions are on fire! (stack frames, objc for PAC bypass)https://twitter.com/yarden_shafir/status/1217728223355817986 …
Can you explain? I'm not sure what do you mean "type confusion" in this context. CET contains only return address that has been called? Do you mean somehow ret32 for a 64 bit ssp?
-
-
No. You can return into an address which the original flow didn't intend, but you control the registers :)
-
If you have a control of the registers/stack, just before an unwinding loop with INCSSP? (I think I got what you mean, but that sounds unlikely)
- Još 2 druga odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.