Vulnerability Development mailing list archives
Re: regarding phrack49's stack smashing tutorial
From: 11a () GMX NET (Bluefish)
Date: Sun, 14 May 2000 04:30:44 +0200
Why does it and more specific *where*? I wrote some test programs and saw that is always 0xbffff6c6 +- 0xff. But it changes sometimes. What is so special about this 0xbffffffff address and by the way this address never fits into my 64M memory.... !
Virtual adresses and physical adresses are two entirely different topics. You have some funky stuff like TLB's and stuff to decode between them. (TLB's decode between Virtual adresses and physical adresses)
If anybody know other documents which explains buffer overflows I would appreciate any information.
uhmm.... If I may use my theoretic knowledge (credits to my computer security course tought at my uni, no practical experience ;) Lets say you have a function f() which is something like: void f() { char s[512]; gets(s) } once executed the stack will be filled with: ==================================================== | s[0]..s[511], unitilized || return adress | ==================================================== Now the attacker sends a 'carefully crafted' malicious string, containing 512 bytes of code plus a 32 bit return adress which should be pointing to s[0]. (in other words, &s) We then have: =========================================================== | s[0]..s[511], malicious code || return adress, &s | =========================================================== And now, the function exit by doing a RET. Ka-ching! EIP is &s and the processor is executing the malicious code. Now, there's of course more to it, like how to get passed situations like a no-exec stack and such. But as long as you are able to overwrite the return adresses, you can modify the executation in ways the programmer did not think of. In some programs, jumping to into code which actually isn't malicious could be very bad indeed. Like skipping the entire authentication process in a daemon. (I have never heard of this being done though, anyone that have?) ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Knud Erik Højgaard (Apr 14)
- <Possible follow-ups>
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Harmer, Mike (May 12)
- regarding phrack49's stack smashing tutorial Christian Hammers (May 13)
- Re: regarding phrack49's stack smashing tutorial Precious Roy (May 13)
- Re: regarding phrack49's stack smashing tutorial Bluefish (May 13)
- QPOP2.5* exploit ?? Ryan Sweat (May 14)
- Re: QPOP2.5* exploit ?? H D Moore (May 14)
- Re: QPOP2.5* exploit ?? jms (May 13)
- Napster Fix optik (May 14)
- Re: QPOP2.5* exploit ?? Maurycy Prodeus (May 15)
- Re: QPOP2.5* exploit ?? jms (May 14)
- Re: QPOP2.5* exploit ?? Eric LeBlanc (May 15)
- regarding phrack49's stack smashing tutorial Christian Hammers (May 13)
- hi sparc qpop info sp00n () GMX DE (May 14)
- Re: QPOP2.5* exploit ?? typo () INFERNO TUSCULUM EDU (May 14)
- Re: QPOP2.5* exploit ?? typo () INFERNO TUSCULUM EDU (May 14)