On Mon, 15 Dec 2003, Dave G. wrote:

> Indeed. However, due to several mitigating factors, this issue doe not
> appear to be exploitable (at least not with any of the techniques I am
> aware of). The overflow occurs in main() and there is an unavoidable
> exit() at the end of the function. So while you can overwrite the
> return stack frame, the process will never use your new value.
>
But you overflow local varialbles, argc and argv**, so if the program ever
uses it after the overflow, it might be possible to expoit it, _before_
exit().

See: http://www.phrack.org/show.php?p=56&a=5, at the end of "Oily way"
part. We explained there how to exploit a code protected with a compiler
placing a canary word before the RET. Of course a couple of conditions
must be fulfilled.

Regards,

--
Mariusz Wo³oszyn
Internet Security Specialist, GTS - Internet Partners

[ reply ]