Bugtraq mailing list archives
Re: glibc/locale exploit for linux/x86
From: Olaf Kirch <okir () CALDERA DE>
Date: Thu, 7 Sep 2000 10:43:37 +0200
On Wed, Sep 06, 2000 at 09:01:47PM +0800, Warning3 wrote:
printf("Using RET location address: 0x%x\n", retloc); shell_addr = get_esp() + offset;
I've always wondered why all these exploits mess around with strange offsets... When the ix86 Linux kernel execs an ELF program, the stack looks like this (at least it did every time I checked) 0x80000000 0x7FFFFFFC 00 00 00 00 argv[0] + NUL byte last envar ... first envar argv So it's easy to compute the start of your shell code without having to rely on magic offsets: shell_addr = (caddr_t) 0x7FFFFFFC - strlen(ARGV0) - 1 - strlen(EGG) - 1; ... n = 0; myenv[n++] = ... myenv[n++] = EGG; myenv[n++] = NULL; execle(VICTIM_PROGRAM, ARGV0, ..., NULL, myenv); Just wondering... Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir () caldera de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
Current thread:
- glibc/locale exploit for linux/x86 Warning3 (Sep 06)
- Re: glibc/locale exploit for linux/x86 Olaf Kirch (Sep 07)
- <Possible follow-ups>
- Re: glibc/locale exploit for linux/x86 Raśl Saura (Sep 07)
- glibc/locale sploit for ImmunixOS Mariusz Woloszyn (Sep 20)