Hosting Provided By

Re: Administrivia: List Announcement

From: Mr. Rufus Faloofus <foofus(at)foofus.net>
Date: Tue May 13 2003 - 15:06:10 EDT

At 11:25 AM 5/13/2003, Dave McKinney wrote: [snip]
> for (i = 0; i <= SIZE && p1[i] != '\0'; i++)

Well, the code assumes that p1 is null-terminated. If we supply a value for argv[1] that doesn't end in a '\0', this routine will continue to copy information beyond the end of argv[1] into buf1.

Then we free buf1, which might contain a copy of some or all of buf2.

It seems non-trivial to exploit this in a meaningful way. Even if it gets run by someone with elevated privileges, your shellcode needs to be less than SIZE bytes long, and you need to assume that this buffer also would overwrite the instruction pointer.

Wouldn't this factor (relationship of the instruction pointer to buf1) vary from one environment to another? Or am I missing something (it happens)?

--Foofus. Received on Tue May 13 18:26:20 2003

This message: [ Message body ]
Next message: Oliver Lavery: "RE: Administrivia: List Announcement"
Previous message: Oliver Lavery: "RE: Administrivia: List Announcement"
In reply to Dave McKinney: "Administrivia: List Announcement"
Next in thread: Cameron Brown: "RE: Administrivia: List Announcement"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT