[Info-vax] A DCL wish list of sorts...
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Fri Mar 22 18:01:03 EDT 2019
On 2019-03-22, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
> On 2019-03-22 20:54:59 +0000, pcanagnostopoulos at gmail.com said:
>
>> On Friday, March 22, 2019 at 3:11:55 PM UTC-4, Simon Clubley wrote:
>>> The shellcode is not loaded into the DCL command table itself but into
>>> CTL$A_COMMON. On VAX and Alpha, CTL$A_COMMON is both user writable and
>>> executable. The overwritten return address points to within
>>> CTL$A_COMMON so DCL transfers control to this code....
>>
>> This is just way too much fun.
That's rather different than the reaction I got from some quarters. :-)
And before you ask, no there's nothing else coming. :-) This was
just a one-off exercise designed to make some VMS people aware that
VMS has the same issues as other operating systems and it ended up
taking up far more than time than I expected.
Also a reminder that none of this works on Itanium due to the way
Itanium handles return addresses.
>
> The common region remains writable and executable, too; a fixed-address
> block of writeable memory available for exploit code.
>
According to Doug, wasn't this buffer marked as no-execute on Itanium ?
Of course, even if that's the case, it's still an excellent place to
put some data you control if you can overwrite a pointer to data
somewhere in a normal program.
Simn.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list