Hey Brett, BM> But because we can write to multiple addresses an exploit can work like BM> this, BM> * locate the static memory address for the exception handler BM> * locate another static memory address BM> * overwrite the exception handler with the second address BM> * overwrite the second address with the required instructions for our BM> relative jmp BM> * cause an exception I am not sure if what Halvar Flake spoke about at Blackhat Amsterdam last Fall was the same issue, but it sounds a bit similar. http://www.blackhat.com/presentations/bh-europe-01/halvar-flake/halvar.ppt, in the second half there are a few slides on exploitation reliability. Cheers, Thomas Dullien -- Mit freundlichen Grüssen dullien@gmx.de mailto:dullien@gmx.de
