Hi. On Thu, May 02, 2002 at 08:00:27PM +0800, - OUAH - wrote: > you can see your buffer is located at bss section and there isnt another > contiguous section after. There is no static heap section afterwards, thats indeed true. But the entire dynamic heap is initialized after the .bss section, and you can write to it. > you can make the vulnerable proggie segfault but only as it write to an > unauthorized section (you cannot write after the bss section!). So this > code is NOT exploitable (you can have a DoS but you cannot get a shell) in > modern Linux. I disagree. Its not exploitable in this simple example, as there is not much code executed thereafter. But if there is some code that touches the dynamic heap somehow (malloc, free, pointer writes, function pointers, anything dynamic such as linked lists, ..) it would be most likely possible. > Maybe it can be exploitable in other OS (and what about other file format > than ELF?). I heard that it can be exploited in old linux if it is > compiled as static (as ELF sections will not be in the same order). No, when the binary is compiled static (under linux with the gnu toolchain), there are the __atexit structures behind static buffers, which can be exploited to seize control. For further information refer to Pascal Bouchareine explanation of the technique. > Note: If you buffer was initialised (=> go to .data section), you could > overwrite dtors section and exploit it. Indeed this would be possible. > Bye, > OUAH ciao, scut :) -- -. scutat_private-berlin.de -. + http://segfault.net/~scut/ `--------------------. -' segfault.net/~scut/pgp `' 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07 `- complete HTCIA database obtained, exchange as usual. hi echelon ----------'
This archive was generated by hypermail 2b30 : Thu May 02 2002 - 13:02:44 PDT