Crispin Cowan wrote: Consider this vulnerable code: foo(char * arg) { char * p = arg; // a vulnerable pointer char a[25]; // the buffer that makes the pointer vulnerable gets(a); // using gets() makes you vulnerable gets(p); // this is the good part } In attacking this code, the attacker first overflows the buffer a[] with a goal of changing the value of the char * p pointer. Specifically, the attacker can cause the p pointer to point anywhere in memory, but especially at a return address record in an activation record. When the program then takes input and stores it where p points, the input data is stored where the attacker said to store it. I think that having this kind of overflow available, StackWard is still vulnerable to a little smarter attack. You may think that this code example is too tricky, but there was a buffer overflow in bind's inverse query (http://www.securityfocus.com/vdb/bottom.html?vid=134) like this. This makes me remember of some code I wrote to exploit this for Sparcs, as it was just one call deep, it was imposible to overwrite the return address, so, by using a memcpy() to a pointer I could overwrite (like that one in the example code) I overwrited part of the libc in memory, lets say printf, so when the program called printf() after the second memcpy(), instead of calling the original printf() it called my code: Here you have an exploit that can be used still if you have StackWard. Am I wrong? Gerardo Richarte -- Investigacion y Desarrollo - CoreLabs - Core SDI http://www.core-sdi.com --- For a personal reply use gera@core-sdi.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:11:03 PDT