Linux.com Article DB: Function pointer attacks leading to security compromises:

Vendicator, the author of the StackShield software has posted to BugTraq illusdtrating the dangers of Function Pointer attacks on the system. "It is simple: if a function with an overflowable buffer contains call with a function pointer declared before the buffer the attacker may overwrite the pointer with the address of the shellcode (or in the NOP block) without altering the RET address in the stack. Even if the RET is altered the shellcode is executed before the function epilog causing StackGuard and the old Stack Shield not to detect it."

Originally Published: Wednesday, 3 November 1999	Author: Quentin Cregan
Published to: news_enhance_security/Security News	Page: 1/1 - [Printable]
Function pointer attacks leading to security compromises: Vendicator, the author of the StackShield software has posted to BugTraq illusdtrating the dangers of Function Pointer attacks on the system. "It is simple: if a function with an overflowable buffer contains call with a function pointer declared before the buffer the attacker may overwrite the pointer with the address of the shellcode (or in the NOP block) without altering the RET address in the stack. Even if the RET is altered the shellcode is executed before the function epilog causing StackGuard and the old Stack Shield not to detect it."