Conversation

Bill Demirkapi

@BillDemirkapi

·

Jan 30

New research 👉 Exception Oriented Programming, Part 2: Weaponizing Fundamental Weaknesses in Exception Unwinding to Gain Code Execution

billdemirkapi.me

Abusing Exceptions for Code Execution, Part 2

In this article, we'll explore how the concepts behind Exception Oriented Programming can be abused when exploiting stack overflow vulnerabilities on Windows.

5

202

534

namazso

@namazso

·

Jan 31

I started with low expectations due to Part 1, but this really is a great article. Fyi there's a newer RtlVirtualUnwind in coreclr: https://github.com/dotnet/runtime/blob/main/src/coreclr/unwinder/amd64/unwinder.cpp#L355-L363… It has UWOP_EPILOGE and its unwinding that MS doesn't document. Glad there are others interested in making up stack frames.

github.com

runtime/src/coreclr/unwinder/amd64/unwinder.cpp at main · dotnet/runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps. - runtime/src/coreclr/unwinder/amd64/unwinder.cpp at main · dotnet/runtime

2

2

15

namazso

@namazso

Also you might want to change that `*(int*)0` to another number in your example, some compilers just throw that out compile-time because it's pretty easy to prove that it's UB.

1:25 AM · Jan 31, 2023

·

271

Views

3

Likes