[16633] in bugtraq
Re: glibc/locale exploit for linux/x86
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Thu Sep 7 12:32:25 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000907104337.T2636@monad.swb.de>
Date: Thu, 7 Sep 2000 10:43:37 +0200
Reply-To: Olaf Kirch <okir@CALDERA.DE>
From: Olaf Kirch <okir@CALDERA.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200009061306.VAA02539@intra.nsfocus.com>; from warning3@mail.com
on Wed, Sep 06, 2000 at 09:01:47PM +0800
On Wed, Sep 06, 2000 at 09:01:47PM +0800, Warning3 wrote:
> printf("Using RET location address: 0x%x\n", retloc);
> shell_addr = get_esp() + offset;
I've always wondered why all these exploits mess around with
strange offsets... When the ix86 Linux kernel execs an ELF program,
the stack looks like this (at least it did every time I checked)
0x80000000
0x7FFFFFFC 00 00 00 00
argv[0] + NUL byte
last envar
...
first envar
argv
So it's easy to compute the start of your shell code without
having to rely on magic offsets:
shell_addr = (caddr_t) 0x7FFFFFFC
- strlen(ARGV0) - 1
- strlen(EGG) - 1;
...
n = 0;
myenv[n++] = ...
myenv[n++] = EGG;
myenv[n++] = NULL;
execle(VICTIM_PROGRAM, ARGV0, ..., NULL, myenv);
Just wondering...
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
