From silvio Thu Sep 19 17:06:38 2002 Return-Path: Delivered-To: silvio@big.net.au Received: from big.net.au [202.7.194.4] by localhost with POP3 (fetchmail-5.5.0) for silvio@localhost (single-drop); Thu, 19 Sep 2002 17:06:38 -0700 (PDT) Received: (qmail 27237 invoked from network); 19 Sep 2002 23:59:48 -0000 Received: from unknown (HELO netsys.com) (199.201.233.10) by mail.big.net.au with SMTP; 19 Sep 2002 23:59:48 -0000 Received: from NETSYS.COM (localhost [127.0.0.1]) by netsys.com (8.11.6/8.11.6) with ESMTP id g8JNkhK17000; Thu, 19 Sep 2002 19:46:43 -0400 (EDT) Received: from ns2.sea (ns2.sea.interquest.net [66.135.144.2]) by netsys.com (8.11.6/8.11.6) with ESMTP id g8JNjXK16887 for ; Thu, 19 Sep 2002 19:45:33 -0400 (EDT) Received: from big.net.au (ip172.aurora.sfo.interquest.net [66.135.130.172]) by ns2.sea (8.12.5/8.12.5) with ESMTP id g8JNj15H027654; Thu, 19 Sep 2002 16:45:01 -0700 Received: (from silvio@localhost) by big.net.au (8.11.0/8.11.0) id g8JNpEm04514; Thu, 19 Sep 2002 16:51:14 -0700 From: silvio@big.net.au To: winterslip@hushmail.com Cc: full-disclosure@lists.netsys.com Subject: ltrace, was Re: [Full-Disclosure] RE: Administrivia Message-ID: <20020919165114.A4435@hamsec.aurora.sfo.interquest.net> References: <200209192207.g8JM7p852688@mailserver2.hushmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200209192207.g8JM7p852688@mailserver2.hushmail.com>; from winterslip@hushmail.com on Thu, Sep 19, 2002 at 03:07:51PM -0700 Sender: full-disclosure-admin@lists.netsys.com Errors-To: full-disclosure-admin@lists.netsys.com X-BeenThere: full-disclosure@lists.netsys.com X-Mailman-Version: 2.0.12 Precedence: bulk List-Unsubscribe: , List-Id: Discussion of security issues List-Post: List-Help: List-Subscribe: , List-Archive: Date: Thu, 19 Sep 2002 16:51:14 -0700 Status: RO Content-Length: 1889 Lines: 58 On Thu, Sep 19, 2002 at 03:07:51PM -0700, winterslip@hushmail.com wrote: > > Like the rest of the people on this list I am still sub'd to bugtraq and > it's still pounding out vulnerabilities (including symantec ones..) and > all your doomsaying has come to naught. Outside of the playschool > environment here being highly entertaining you've done nothing, status quo for you of course. doomsaying? I can't talk about doomsaying very well.. so perhaps something on topic. ----> some interesting ltrace behaviour.. i've never seen anyone mention it before (i did talk about it a little at cansecwest, heh), so i guess it wont hurt here. ltrace works by basically looking at the dynamic symbol table and getting the st_value from the dynamic symbols, and then setting a breakpoint where that address is. however, if we look at linux, then st_value is not used for dynamic linking, and hence can be arbitrarily modified without changing execution behaviour. thus you can use this to a) have ltrace produce no results b) have ltrace produce incorrect results c) have ltrace poke 0xC3 (x86) to where you want in memory, when being traced how to do all this --> a) set all st_value to 0 b) try swapping some symbols' st_value and have ltrace show u different calls c) change st_value to whatever you want solution --> there are other ways to determine where a plt entry is, without looking at a symbol st_value obviously. > The no moderation call was very obviously a stellar judgment call. Hey, > you have a server I can store some documents on by any chance???? i'll put them up on www.big.net.au if you want? if anyone wants stuff up at www.big.net.au, i'll be open to suggestions or linking, hosting content etc. -- Silvio _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html