Vulnerability Development mailing list archives
Re: Abo3 (can someone help me?)
From: Murat Balaban <murat () enderunix org>
Date: Mon, 26 May 2003 08:24:36 +0300
Hi, First of all you should read this: http://www.enderunix.org/docs/eng/bof-eng.txt On Sat, May 24, 2003 at 09:11:20PM -0700, Discussion Lists wrote:
The issue here is that there is an exit(1) at the end of the code. So even if you were to overwrite the return address, it would not matter because there is no return (if I understand correctly).
Yep. However return address is not the only memory area you might be interested in overflowing. Function pointers, at_exit addresses etc. might be quite useful to change the execution flow of the vulnerable program. In this example, you're expected to overflow a function pointer fn.
is that we have to stick our shellcode in an environment variable, then overwrite the address of that variable into the address of the fn() function. So they lay out the following code to do it (questions in-line):
Place your shellcode in an environment variable, so that you know exactly where it is. You're not overwriting env variable, you are overwriting buf and reach fn.
strlen("/home/user/gera/abo3"); /* That is what I don't get. First, what is the 0xbffffffa address? Is that where supposedly the ending address of the code when everything is pushed onto the stack? I believe strlen calculates the length of a string? If that is the case, why do they need to calculate
If I say, you know the address of env variable, meaning that the address of our shellcode, you should've asked how? This part is the answer to that. Here you are calculating the address of the last environment variable. Again: read bof-eng.txt . - Murat
Current thread:
- Abo3 (can someone help me?) Discussion Lists (May 25)
- Re: Abo3 (can someone help me?) Murat Balaban (May 25)
- Re: Abo3 (can someone help me?) c0n (May 25)
- Re: Abo3 (can someone help me?) sin (May 27)