At 11:25 AM 5/13/2003, Dave McKinney wrote: [snip] > for (i = 0; i <= SIZE && p1[i] != '\0'; i++) > buf1[i] = p1[i]; Well, the code assumes that p1 is null-terminated. If we supply a value for argv[1] that doesn't end in a '\0', this routine will continue to copy information beyond the end of argv[1] into buf1. Then we free buf1, which might contain a copy of some or all of buf2. It seems non-trivial to exploit this in a meaningful way. Even if it gets run by someone with elevated privileges, your shellcode needs to be less than SIZE bytes long, and you need to assume that this buffer also would overwrite the instruction pointer. Wouldn't this factor (relationship of the instruction pointer to buf1) vary from one environment to another? Or am I missing something (it happens)? --Foofus.
This archive was generated by hypermail 2b30 : Tue May 13 2003 - 15:18:40 PDT