[note : please answer me with a working email as i think we might continue chatting out of the list]
you've probably overwritten a local pointer with a bugged strcpy. that's not an offbyone in my sense, but without more source/asm output, i couldn't say much.
by my experience, i think you might have overwritten the return adress in the stack (use bt function from gdb to reveal it).
to exploit it, i think you'll need some skill in overflow exploitations because it isn't really simple to exploit (you'll have to replace the AAAA into the pointer by some valid pointer so you can restore the original work of the function and then exploit it when it returns to the previous function.)
Excuse me if i'm fuzzy, you had been fuzzy too :)
now, do you really need to exploit it ? is it suid root on some boxes ? don't you have access to sources or to a coder to fix it (like adding "n" to the strcpy) ?
It won't even replace a good analys from a security code auditer.
Regards,
spacewalker
you've probably overwritten a local pointer with a bugged strcpy. that's not an offbyone in my sense, but without more source/asm output, i couldn't say much.
by my experience, i think you might have overwritten the return adress in the stack (use bt function from gdb to reveal it).
to exploit it, i think you'll need some skill in overflow exploitations because it isn't really simple to exploit (you'll have to replace the AAAA into the pointer by some valid pointer so you can restore the original work of the function and then exploit it when it returns to the previous function.)
Excuse me if i'm fuzzy, you had been fuzzy too :)
now, do you really need to exploit it ? is it suid root on some boxes ? don't you have access to sources or to a coder to fix it (like adding "n" to the strcpy) ?
It won't even replace a good analys from a security code auditer.
Regards,
spacewalker
[ reply ]