Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Administrivia: List Announcement

From: "Mr. Rufus Faloofus" <foofus () foofus net>
Date: Tue, 13 May 2003 14:06:10 -0500
At 11:25 AM 5/13/2003, Dave McKinney wrote:
[snip]

        for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
                buf1[i] = p1[i];


Well, the code assumes that p1 is null-terminated.  If
we supply a value for argv[1] that doesn't end in a
'\0', this routine will continue to copy information
beyond the end of argv[1] into buf1.

Then we free buf1, which might contain a copy of
some or all of buf2.

It seems non-trivial to exploit this in a meaningful
way.  Even if it gets run by someone with elevated
privileges, your shellcode needs to be less than
SIZE bytes long, and you need to assume that this
buffer also would overwrite the instruction pointer.

Wouldn't this factor (relationship of the instruction
pointer to buf1) vary from one environment to another?
Or am I missing something (it happens)?

--Foofus.
Previous By Date Next
Previous By Thread Next

Current thread: