Vulnerability Development mailing list archives
Re: Administrivia: List Announcement
From: "Mr. Rufus Faloofus" <foofus () foofus net>
Date: Tue, 13 May 2003 14:06:10 -0500
At 11:25 AM 5/13/2003, Dave McKinney wrote: [snip]
for (i = 0; i <= SIZE && p1[i] != '\0'; i++) buf1[i] = p1[i];
Well, the code assumes that p1 is null-terminated. If we supply a value for argv[1] that doesn't end in a '\0', this routine will continue to copy information beyond the end of argv[1] into buf1. Then we free buf1, which might contain a copy of some or all of buf2. It seems non-trivial to exploit this in a meaningful way. Even if it gets run by someone with elevated privileges, your shellcode needs to be less than SIZE bytes long, and you need to assume that this buffer also would overwrite the instruction pointer. Wouldn't this factor (relationship of the instruction pointer to buf1) vary from one environment to another? Or am I missing something (it happens)? --Foofus.
Current thread:
- Re: Administrivia: List Announcement, (continued)
- Re: Administrivia: List Announcement Luciano Miguel Ferreira Rocha (May 14)
- vulndev-1.c challenge (was Re: Administrivia: List Announcement) Bennett Todd (May 13)
- Re: Administrivia: List Announcement Bernie Cosell (May 13)
- Re: Administrivia: List Announcement Valdis . Kletnieks (May 15)
- partial analysis of vulndev-1.c David R. Piegdon (May 13)
- Re: partial analysis of vulndev-1.c Dana Epp (May 13)
- Re: partial analysis of vulndev-1.c master of chaos - lord of mean (May 13)
- RE: partial analysis of vulndev-1.c David Schwartz (May 13)
- Re: partial analysis of vulndev-1.c Nexus (May 14)
- Re: partial analysis of vulndev-1.c andrewg (May 13)
- Re: Administrivia: List Announcement Mr. Rufus Faloofus (May 13)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- RE: Administrivia: List Announcement Shafik Yaghmour (May 13)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- RE: Administrivia: List Announcement andrewg (May 13)
- RE: Administrivia: List Announcement Shafik Yaghmour (May 13)
- Re: vulndev1.c solution (warning SPOILER) Jose Ronnick (May 13)
- RE: vulndev1.c solution (warning SPOILER) Cameron Brown (May 14)
- Re: vulndev1.c solution (warning SPOILER) Jon Erickson (May 14)
- RE: vulndev1.c solution (warning SPOILER) Cameron Brown (May 15)
- Re: vulndev1.c solution (warning SPOILER) Kenji Cronos (May 15)