Hi, First of all you should read this: http://www.enderunix.org/docs/eng/bof-eng.txt On Sat, May 24, 2003 at 09:11:20PM -0700, Discussion Lists wrote: > The issue here is that there is an exit(1) at the end of the code. So > even if you were to overwrite the return address, it would not matter > because there is no return (if I understand correctly). Yep. However return address is not the only memory area you might be interested in overflowing. Function pointers, at_exit addresses etc. might be quite useful to change the execution flow of the vulnerable program. In this example, you're expected to overflow a function pointer fn. > is that we have to stick our shellcode in an environment variable, then > overwrite the address of that variable into the address of the fn() > function. So they lay out the following code to do it (questions > in-line): > Place your shellcode in an environment variable, so that you know exactly where it is. You're not overwriting env variable, you are overwriting buf and reach fn. > strlen("/home/user/gera/abo3"); > /* That is what I don't get. First, what is the 0xbffffffa address? Is > that where supposedly the > ending address of the code when everything is pushed onto the stack? I > believe strlen calculates the > length of a string? If that is the case, why do they need to calculate If I say, you know the address of env variable, meaning that the address of our shellcode, you should've asked how? This part is the answer to that. Here you are calculating the address of the last environment variable. Again: read bof-eng.txt . - Murat
This archive was generated by hypermail 2b30 : Sun May 25 2003 - 23:20:05 PDT