> Thoughts, anyone ? A couple... The overflown string doesn't have to end with \0, if you terminate the prescan()ed string with some valid chars (eg "...\\\377\\\377a") the length check will fail and exit without appending a null. I haven't found anyway to avoid an error (ie. a call to usererr()) which then triggers an exception, which is caught beyond the stack frame you overwrite (in smtp()). Hence the relevant function never actually returns, and your overwritten saved eip/ebp value never gets used. However you can overwrite the exception handler structure (and it's saved registers) in some cases. I've experimented a bit with moving ebp further down the stack, but not found a way to control the data it points too. I think that's the only chance for a semi-generic exploit. As you say, you can also overwrite some variables on the stack which may get used before the exception's thrown (the addr argument in parseaddr() is one that comes to mind) but in the binaries I've looked at all the useful ones are kept live in registers, so overwriting them has no affect. - Blazde
This archive was generated by hypermail 2b30 : Fri Apr 04 2003 - 12:58:50 PST