On Mon, 23 Jun 2003 10:06:05 +0200, avelat_private said: > hi community, > > i have a buffer overflow question. If i have a binary (no src available) > that > i can crash with a too long string, so that %edi is set 0x41414141 > (means i could control it)... can i craft the buffer so that the adress in > %edi is actually jumped to? Although the context here is implied to be Linux on an x86 CPU, it's good to remember that there are other Unixoids that run on an x86 (the *BSD and Solaris/X86, right off the top of my head) which may have different linkage conventions, and that Linux runs on other processors that don't have a %edi register... I've even seen one exploit that failed to work on a test box - because the exploit used a 686-only opcode to work around something (a no-NULLs requirement or similar), and the testbed was a 486... ;) So a quick reminder - mention your system and processor, just to be sure. For all Unixoid boxes, 'uname -a' should be specific enough: % uname -a Linux turing-police.cc.vt.edu 2.5.72-mm3-lsm1 #3 Sun Jun 22 13:10:38 EDT 2003 i686 i686 i386 GNU/Linux (Yes, I'm a maniac.. and yes, I know .73 is out :)
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 15:24:04 PDT