Re: Administrivia: List Announcement

From: Mr. Rufus Faloofus (foofusat_private)
Date: Tue May 13 2003 - 12:06:10 PDT

Next message: Shafik Yaghmour: "Re: Administrivia: List Announcement"

Previous message: David R. Piegdon: "partial analysis of vulndev-1.c"
In reply to: Dave McKinney: "Administrivia: List Announcement"
Next in thread: Thiago Canozzo Lahr: "Re: Administrivia: List Announcement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 11:25 AM 5/13/2003, Dave McKinney wrote:
[snip]
>         for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
>                 buf1[i] = p1[i];

Well, the code assumes that p1 is null-terminated.  If
we supply a value for argv[1] that doesn't end in a
'\0', this routine will continue to copy information
beyond the end of argv[1] into buf1.

Then we free buf1, which might contain a copy of
some or all of buf2.

It seems non-trivial to exploit this in a meaningful
way.  Even if it gets run by someone with elevated
privileges, your shellcode needs to be less than
SIZE bytes long, and you need to assume that this
buffer also would overwrite the instruction pointer.

Wouldn't this factor (relationship of the instruction
pointer to buf1) vary from one environment to another?
Or am I missing something (it happens)?

--Foofus.

Next message: Shafik Yaghmour: "Re: Administrivia: List Announcement"
Previous message: David R. Piegdon: "partial analysis of vulndev-1.c"
In reply to: Dave McKinney: "Administrivia: List Announcement"
Next in thread: Thiago Canozzo Lahr: "Re: Administrivia: List Announcement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 13 2003 - 15:18:40 PDT