Vulnerability Development mailing list archives
Re: challenge
From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Tue, 14 Sep 2004 14:34:39 +0200 (CEST)
Hopefully I shall get responses to this challenge,...
Hey fuzzy, Find attached a working C exploit (with detailed comments) for your sample vulnerable code. Of course, it's possible to modify it to automagically get the needed addresses. It should also be possible to use pipe() and write() to send the evil buffer to the vulnerable program. Finally, there's room for the .got entry substitution technique, for changing the second free() into a system() instead of using a shellcode -- but beware, 'cause usually system() drops privileges. Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
Attachment:
vuln-ex.c
Description:
Current thread:
- challenge fuzzy () bonbon net (Sep 14)
- <Possible follow-ups>
- Re: challenge Marco Ivaldi (Sep 16)
- Re: challenge Marco Ivaldi (Sep 14)
- Re: challenge Marco Ivaldi (Sep 14)