hello, This advisory intends to present a new way to make a return to lib C exploit. Synopsis -------- By using the environment variables one could easily exploit a buffer overflow with the return into lib C technic. Details -------- If we make an analogy with the shellcode technic : the \x20 act as \x90. For the system() function the sting "/bin/sh/" is equal to " /bin/sh". the return address overflowed is the system() address. the arg address will be our variables environment address. It give flexibility to the arg passed and help to chaining the return to lib C. Article ------- Related article describing this technic and example source code : http://www.bursztein.net/secu/rilc.html This technic should open a new range of exploits using the return into lib C. Sincerely, Elie aka "Lupin" Bursztein ___________________________ icq : 32228319 mail : elieat_private web : www.bursztein.net ___________________________ "Simplicity is difficulty"
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 19:56:55 PST