Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Where can they hide?
Re: Where can they hide?
Weren't you talking in this instance about exploiting a vulnerability
in some av by multiply zipping a file many times? A multiply zipped
file, as such, is nether data nor code is it?
I dunno, what you're talking about. You had previously talked about
buffer overrun exploits and I say (said) it's the exploit code that's
the malware and not the chosen data pattern as you were claiming.
You don't do a buffer overrun exploit without exploit code do you?
Re: Where can they hide?
It's data - data that the unzipper program needs to convert the contents
back to its original uncompressed form. The center of the onion is the
original file which is also, I believe, not program code. It is data that
yields a very good compression ratio so that uncompressing it needs
Sure you do, if you only exploit the vulnerability to corrupt memory. If
you want to further leverage the overrun into executing code of your
choice then you of course will need to supply the payload code.
The flow to a subroutine may have to return back from whence it came (+1)
so that program execution can continue. It will drop a breadcrumb called a
return address pointer so it 'knows' where to return to. The buffer could be
used to contain data like a name from an input field. I put in my real name
(John Jacob Jingleheimer Schmidtt) and the program falls over. I examine
the contents of the buffer and find only John Jacob Jingleheimer Schmid and
find that the tt has stomped on the breadcrumb residing in adjacent memory.
This is where the exploit has worked, the machine is in a state to accept and
execute code supplied by me if I can only overrun the buffer with an address
that I control the contents of - no code is involved yet.
I input my name as John Jacob Jingleheimer Schmid[address of memory
I control] and the exploit is complete and still without code. I will need code
to place in the memory location now pointed to so that the runaway train
will have something interesting to crash into and execute. The exploit is
what diverts the train (without code) and any code that might follow is
payload. If this vulnerability were in a popular email client or server app
and I spammed the exploit out I could conceivably perform a DoS on a
large number of machines without doing any coding. I would call this
exploit "malware" even if the data is sent to only one victim, manually.