Re: static char overflow

[SpaceWalker <spacewalker () altern org>]

On Thu, 2 May 2002 19:36:46 +0200
Sebastian <scut () nb in-berlin de> wrote:

> I disagree. Its not exploitable in this simple example, as there is not much
> code executed thereafter. But if there is some code that touches the dynamic
> heap somehow (malloc, free, pointer writes, function pointers, anything
> dynamic such as linked lists, ..) it would be most likely possible.

Speeking of linux. It may be possible that on some arch, linked with some exotic compiler, the .dtors section is after 
the bss. That's theoricaly not impossible, and I don't see why some linker wouldn't do that, except the risk of 
exploiting a such vulnerability.

But, unless this example is not exploitable, smaching the bss segment can cause overwriting of global variables, such 
pointers.
imagine
#include <blah.h>
char buffer[128]; /* I don't remember if the bss grows down or up. */
int *ptr1;
int random;
int main(int argc,char **argv){
        int something=1;
        ptr=&something;
        random=31337;
        strcpy(buffer,argv[1]);
        *ptr=random;
        return 0;
        }

of course, it's only an example, but it's exploitable and does not contain any malloc.
SpaceWalker