Re: static char overflow

["- OUAH -" <ouah_ () hotmail com>]

hello,

ouah@weed:~$ gcc -g tr.c -o tr
ouah@weed:~$ gdb tr -q
(gdb) l
1       main(int argc,char **argv)
2       {
3         static char buf [1024];
4       strcpy(buf,argv[1]);
5       printf("%s",buf);
6       }
(gdb) b 5
Breakpoint 1 at 0x8048443: file tr.c, line 5.
(gdb)  r AAA
Starting program: /home/ouah/tr AAA

Breakpoint 1, main (argc=2, argv=0xbffff9b4) at tr.c:5
5       printf("%s",buf);
(gdb) info symbol buf
buf.3 in section .bss
(gdb) q
The program is running.  Exit anyway? (y or n) y
ouah@weed:~$ size -A -x tr | grep -1 bss
.dynamic           0xa0   0x80494f8
.sbss               0x0   0x8049598
.bss              0x420   0x80495a0
.stab             0x93c         0x0
ouah@weed:~$

you can see your buffer is located at bss section and there isnt another 
contiguous section after. you can make the vulnerable proggie
segfault but only as it write to an unauthorized section (you cannot write 
after the bss section!). So this code is NOT exploitable (you can have a DoS 
but you cannot get a shell) in modern Linux. Maybe it can be exploitable in 
other OS (and what about other file format than ELF?). I heard that it can 
be exploited in old linux if it is compiled as static (as ELF sections will 
not be in the same order).

Note: If you buffer was initialised (=> go to .data section), you could 
overwrite dtors section and exploit it.

Bye,

OUAH
http://ouah.sysdoor.net



_________________________________________________________________
Téléchargez MSN Explorer gratuitement à l'adresse 
http://explorer.msn.fr/intl.asp.