On Thu, 2 May 2002 19:36:46 +0200 Sebastian <scutat_private-berlin.de> wrote: > I disagree. Its not exploitable in this simple example, as there is not much > code executed thereafter. But if there is some code that touches the dynamic > heap somehow (malloc, free, pointer writes, function pointers, anything > dynamic such as linked lists, ..) it would be most likely possible. Speeking of linux. It may be possible that on some arch, linked with some exotic compiler, the .dtors section is after the bss. That's theoricaly not impossible, and I don't see why some linker wouldn't do that, except the risk of exploiting a such vulnerability. But, unless this example is not exploitable, smaching the bss segment can cause overwriting of global variables, such pointers. imagine #include <blah.h> char buffer[128]; /* I don't remember if the bss grows down or up. */ int *ptr1; int random; int main(int argc,char **argv){ int something=1; ptr=&something; random=31337; strcpy(buffer,argv[1]); *ptr=random; return 0; } of course, it's only an example, but it's exploitable and does not contain any malloc. SpaceWalker
This archive was generated by hypermail 2b30 : Thu May 02 2002 - 15:52:14 PDT