hello, ouah@weed:~$ gcc -g tr.c -o tr ouah@weed:~$ gdb tr -q (gdb) l 1 main(int argc,char **argv) 2 { 3 static char buf [1024]; 4 strcpy(buf,argv[1]); 5 printf("%s",buf); 6 } (gdb) b 5 Breakpoint 1 at 0x8048443: file tr.c, line 5. (gdb) r AAA Starting program: /home/ouah/tr AAA Breakpoint 1, main (argc=2, argv=0xbffff9b4) at tr.c:5 5 printf("%s",buf); (gdb) info symbol buf buf.3 in section .bss (gdb) q The program is running. Exit anyway? (y or n) y ouah@weed:~$ size -A -x tr | grep -1 bss .dynamic 0xa0 0x80494f8 .sbss 0x0 0x8049598 .bss 0x420 0x80495a0 .stab 0x93c 0x0 ouah@weed:~$ you can see your buffer is located at bss section and there isnt another contiguous section after. you can make the vulnerable proggie segfault but only as it write to an unauthorized section (you cannot write after the bss section!). So this code is NOT exploitable (you can have a DoS but you cannot get a shell) in modern Linux. Maybe it can be exploitable in other OS (and what about other file format than ELF?). I heard that it can be exploited in old linux if it is compiled as static (as ELF sections will not be in the same order). Note: If you buffer was initialised (=> go to .data section), you could overwrite dtors section and exploit it. Bye, OUAH http://ouah.sysdoor.net _________________________________________________________________ Téléchargez MSN Explorer gratuitement à l'adresse http://explorer.msn.fr/intl.asp.
This archive was generated by hypermail 2b30 : Thu May 02 2002 - 09:40:28 PDT