Vulnerability Development mailing list archives
Re: static char overflow
From: SpaceWalker <spacewalker () altern org>
Date: Thu, 2 May 2002 22:14:44 +0200
On Thu, 2 May 2002 19:36:46 +0200 Sebastian <scut () nb in-berlin de> wrote:
I disagree. Its not exploitable in this simple example, as there is not much code executed thereafter. But if there is some code that touches the dynamic heap somehow (malloc, free, pointer writes, function pointers, anything dynamic such as linked lists, ..) it would be most likely possible.
Speeking of linux. It may be possible that on some arch, linked with some exotic compiler, the .dtors section is after the bss. That's theoricaly not impossible, and I don't see why some linker wouldn't do that, except the risk of exploiting a such vulnerability. But, unless this example is not exploitable, smaching the bss segment can cause overwriting of global variables, such pointers. imagine #include <blah.h> char buffer[128]; /* I don't remember if the bss grows down or up. */ int *ptr1; int random; int main(int argc,char **argv){ int something=1; ptr=&something; random=31337; strcpy(buffer,argv[1]); *ptr=random; return 0; } of course, it's only an example, but it's exploitable and does not contain any malloc. SpaceWalker
Current thread:
- static char overflow melsa (May 01)
- Re: static char overflow SpaceWalker (May 02)
- <Possible follow-ups>
- Re: static char overflow - OUAH - (May 02)
- Re: static char overflow Sebastian (May 02)
- Re: static char overflow SpaceWalker (May 02)
- Re: static char overflow Sebastian (May 03)
- Re: static char overflow Sebastian (May 02)
- Re: static char overflow Shaun Clowes (May 04)