Re: Abo3 (can someone help me?)

[Murat Balaban <murat () enderunix org>]

Hi, 

First of all you should read this: http://www.enderunix.org/docs/eng/bof-eng.txt

On Sat, May 24, 2003 at 09:11:20PM -0700, Discussion Lists wrote:
> The issue here is that there is an exit(1) at the end of the code.  So
> even if you were to overwrite the return address, it would not matter
> because there is no return (if I understand correctly).

Yep. However return address is not the only memory area you might be interested
in overflowing. Function pointers, at_exit addresses etc. might be quite useful
to change the execution flow of the vulnerable program. In this example, you're
expected to overflow a function pointer fn. 

> is that we have to stick our shellcode in an environment variable, then
> overwrite the address of that variable into the address of the fn()
> function.  So they lay out the following code to do it (questions
> in-line):

Place your shellcode in an environment variable, so that you know exactly
where it is. You're not overwriting env variable, you are overwriting buf
and reach fn.

> strlen("/home/user/gera/abo3");
> /* That is what I don't get.  First, what is the 0xbffffffa address?  Is
> that where supposedly the 
> ending address of the code when everything is pushed onto the stack?  I
> believe strlen calculates the 
> length of a string?  If that is the case, why do they need to calculate

If I say, you know the address of env variable, meaning that the address
of our shellcode, you should've asked how? This part is the answer to
that. Here you are calculating the address of the last environment variable.
Again: read bof-eng.txt .

- Murat