Vulnerability Development mailing list archives

Re: challenge

From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Tue, 14 Sep 2004 14:34:39 +0200 (CEST)

Hopefully I shall get responses to this challenge,...


Hey fuzzy,

Find attached a working C exploit (with detailed comments) for your sample 
vulnerable code. 

Of course, it's possible to modify it to automagically get the needed 
addresses. It should also be possible to use pipe() and write() to send 
the evil buffer to the vulnerable program.

Finally, there's room for the .got entry substitution technique, for 
changing the second free() into a system() instead of using a shellcode
-- but beware, 'cause usually system() drops privileges.

Cheers,

-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707

Attachment: vuln-ex.c
Description:

Current thread:

challenge fuzzy () bonbon net (Sep 14)
- <Possible follow-ups>
- Re: challenge Marco Ivaldi (Sep 16)
  - Re: challenge Marco Ivaldi (Sep 14)
  - Re: challenge Marco Ivaldi (Sep 14)