[3316] in bugtraq
Re: rlogin bug and buffer overflow thoughts
daemon@ATHENA.MIT.EDU (Bugtraq Archiver)
Tue Sep 3 01:35:30 1996
Date: Tue, 3 Sep 1996 14:00:25 GMT
Reply-To: Bugtraq Archiver <bugtraq@sliderule.geek.org.uk>
From: Bugtraq Archiver <bugtraq@sliderule.geek.org.uk>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
> I wrote a "vulnerable" test to check it.
> -----------------------------------------------------------------
> #include <stdlib.h>
>
> main()
> {
> char string[256];
>
> strcpy(string,getenv("TERM"));
> /* everything that comes after this call still works, like: */
> printf("%s",string);
> }
> -----------------------------------------------------------------
> This gives me a shell when the TERM is a long string with the proper
> instructions.
> But this one didn't gave a shell :
> -----------------------------------------------------------------
> #include <stdlib.h>
>
> main()
> {
> char string[256];
>
> strcpy(string,getenv("TERM));
> exit(0);
> }
> ----------------------------------------------------------------
> Any comments ?
Yeah, on buffer overflows it executes the new code on return of the routine.. In
linux (and from what I heard BSDI) these things get pushed onto the stack this way
when a routine is called:
<args passed>
return address
old stack pointer
<local vars>
Now when you overflow, you overwrite the return addrss to point to where your
code will be.. Then when the routine returns it pops off the old stack pointer
and the return address, and executes code wherever the return address sais to..
If these are invalid, they will prolly cause a seg fault, if they are valid,
then it will execute stuff..
Because in your second routine you have an exit(), it wont return, but rather call
a new routine, and thus doesnt pop off the return addr..
