Conversation

New research 👉 Exception Oriented Programming, Part 2: Weaponizing Fundamental Weaknesses in Exception Unwinding to Gain Code Execution

billdemirkapi.me

Abusing Exceptions for Code Execution, Part 2

In this article, we'll explore how the concepts behind Exception Oriented Programming can be abused when exploiting stack overflow vulnerabilities on Windows.

202

534

namazso

@namazso

I started with low expectations due to Part 1, but this really is a great article. Fyi there's a newer RtlVirtualUnwind in coreclr: github.com/dotnet/runtime It has UWOP_EPILOGE and its unwinding that MS doesn't document. Glad there are others interested in making up stack frames.

github.com

runtime/src/coreclr/unwinder/amd64/unwinder.cpp at main · dotnet/runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps. - runtime/src/coreclr/unwinder/amd64/unwinder.cpp at main · dotnet/runtime

1:24 AM · Jan 31, 2023

1,924

Views

Bookmarks

Also you might want to change that `*(int*)0` to another number in your example, some compilers just throw that out compile-time because it's pretty easy to prove that it's UB.

Bill Demirkapi

@BillDemirkapi

Jan 31

I'm glad that you enjoyed it! Agreed that this blog was much more in depth than part 1. I did look into the legacy epilog logic and UWOP_EPILOG/RtlpUnwindEpilogue briefly, but I didn't find any additional primitives compared to what you could already do with other operations.