hello,
ouah@weed:~$ gcc -g tr.c -o tr
ouah@weed:~$ gdb tr -q
(gdb) l
1 main(int argc,char **argv)
2 {
3 static char buf [1024];
4 strcpy(buf,argv[1]);
5 printf("%s",buf);
6 }
(gdb) b 5
Breakpoint 1 at 0x8048443: file tr.c, line 5.
(gdb) r AAA
Starting program: /home/ouah/tr AAA
Breakpoint 1, main (argc=2, argv=0xbffff9b4) at tr.c:5
5 printf("%s",buf);
(gdb) info symbol buf
buf.3 in section .bss
(gdb) q
The program is running. Exit anyway? (y or n) y
ouah@weed:~$ size -A -x tr | grep -1 bss
.dynamic 0xa0 0x80494f8
.sbss 0x0 0x8049598
.bss 0x420 0x80495a0
.stab 0x93c 0x0
ouah@weed:~$
you can see your buffer is located at bss section and there isnt another
contiguous section after. you can make the vulnerable proggie
segfault but only as it write to an unauthorized section (you cannot write
after the bss section!). So this code is NOT exploitable (you can have a DoS
but you cannot get a shell) in modern Linux. Maybe it can be exploitable in
other OS (and what about other file format than ELF?). I heard that it can
be exploited in old linux if it is compiled as static (as ELF sections will
not be in the same order).
Note: If you buffer was initialised (=> go to .data section), you could
overwrite dtors section and exploit it.
Bye,
OUAH
http://ouah.sysdoor.net
_________________________________________________________________
Téléchargez MSN Explorer gratuitement à l'adresse
http://explorer.msn.fr/intl.asp.
This archive was generated by hypermail 2b30 : Thu May 02 2002 - 09:40:28 PDT