So now we can write a ROP chain in the stack of thread B starting from a position where a return address is saved. If we send a Content-Length bigger than 128KB to socket of thread A, the Stack Pointer will point inside the stack of another thread (B) and so the POST data (of thread A) will be written inside the stack of thread B (in any position we want, we only need to adjust the Content-Length value). Thanks to Content-Length and alloca macro we can control the Stack Pointer and where the post data will be written.
0 Comments
Leave a Reply. |