Crispin Cowan wrote:
Consider this vulnerable code:
foo(char * arg) {
char * p = arg; // a vulnerable pointer
char a[25]; // the buffer that makes the pointer vulnerable
gets(a); // using gets() makes you vulnerable
gets(p); // this is the good part
}
In attacking this code, the attacker first overflows the buffer a[]
with
a goal of changing the value of the char * p pointer. Specifically,
the attacker can cause the p pointer to point anywhere in memory,
but especially at a return address record in an activation record.
When the program then takes input and stores it where p points, the
input data is stored where the attacker said to store it.
I think that having this kind of overflow available, StackWard is
still vulnerable to a little smarter attack.
You may think that this code example is too tricky, but there was a
buffer overflow in bind's inverse query
(http://www.securityfocus.com/vdb/bottom.html?vid=134) like this. This
makes me remember of some code I wrote to exploit this for Sparcs, as
it was just one call deep, it was imposible to overwrite the return
address, so, by using a memcpy() to a pointer I could overwrite (like
that one in
the example code) I overwrited part of the libc in memory, lets say
printf, so when the program called printf() after the second memcpy(),
instead of calling the original printf() it called my code: Here you
have an exploit that can be used still if you have StackWard.
Am I wrong?
Gerardo Richarte
--
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com
--- For a personal reply use gera@core-sdi.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:11:03 PDT