[Full-Disclosure] format strings on HP-UX
eballen1 at qwest.net
Mon Jan 20 22:32:19 GMT 2003
On Mon, 20 Jan 2003 bt at delfi.lt wrote:
> Are they exploitable?
> I was looking for a format strings exploit on HP-UX,but couldn't find
> any. Maybe because they are not exploitable???If they are,I would
> appreaciate very much if anyone could provide some information about
I think that's a pretty good question, and I don't have an answer.
Since HP-UX runs on HP's "PA" architecture, the answer may very well
be "no". The PA architecture has a few oddities:
1. What unix people think of as "stack" and "heap" are reversed relative
to how they appear in SPARC, Mips, 68k and x86. The stack is at a lower
address than the heap.
2. Stack grows up, heap grows down. This, too, is reversed relative to
SPARC, Mips, x86, 68k. I think this implies that "stack underflows"
are more exploitable than "stack overflows", but I don't really know
3. The PA architecture is segmented. HP does their best to hush this up
and obfuscate it, but there's a "SR" segment register. I forget exactly
how this thing works, but it's *not* like x86. You can only get to a
given memory location with 1 combination of SR and 32-bit address.
It's possible that stack and heap and ".text segment" live in different
4. The heap and the stack are typically marked "non-executable". I realize
this doesn't protect 100% against stack overflows, but it sure makes them
All-in-all the PA architecture is a bit hard to get your head around, if you're
used to Mips/SPARC/68k big-endian memory arrangments.
Full-Disclosure is hosted and sponsored by Secunia.