Vulnerability Development mailing list archives
Re: static char overflow
From: "- OUAH -" <ouah_ () hotmail com>
Date: Thu, 02 May 2002 20:00:27 +0800
hello, ouah@weed:~$ gcc -g tr.c -o tr ouah@weed:~$ gdb tr -q (gdb) l 1 main(int argc,char **argv) 2 { 3 static char buf [1024]; 4 strcpy(buf,argv[1]); 5 printf("%s",buf); 6 } (gdb) b 5 Breakpoint 1 at 0x8048443: file tr.c, line 5. (gdb) r AAA Starting program: /home/ouah/tr AAA Breakpoint 1, main (argc=2, argv=0xbffff9b4) at tr.c:5 5 printf("%s",buf); (gdb) info symbol buf buf.3 in section .bss (gdb) q The program is running. Exit anyway? (y or n) y ouah@weed:~$ size -A -x tr | grep -1 bss .dynamic 0xa0 0x80494f8 .sbss 0x0 0x8049598 .bss 0x420 0x80495a0 .stab 0x93c 0x0 ouah@weed:~$you can see your buffer is located at bss section and there isnt another contiguous section after. you can make the vulnerable proggie segfault but only as it write to an unauthorized section (you cannot write after the bss section!). So this code is NOT exploitable (you can have a DoS but you cannot get a shell) in modern Linux. Maybe it can be exploitable in other OS (and what about other file format than ELF?). I heard that it can be exploited in old linux if it is compiled as static (as ELF sections will not be in the same order).
Note: If you buffer was initialised (=> go to .data section), you could overwrite dtors section and exploit it.
Bye, OUAH http://ouah.sysdoor.net _________________________________________________________________Téléchargez MSN Explorer gratuitement à l'adresse http://explorer.msn.fr/intl.asp.
Current thread:
- static char overflow melsa (May 01)
- Re: static char overflow SpaceWalker (May 02)
- <Possible follow-ups>
- Re: static char overflow - OUAH - (May 02)
- Re: static char overflow Sebastian (May 02)
- Re: static char overflow SpaceWalker (May 02)
- Re: static char overflow Sebastian (May 03)
- Re: static char overflow Sebastian (May 02)
- Re: static char overflow Shaun Clowes (May 04)