Bugtraq mailing list archives

Re: Format String Attacks

From: Serguei Patchkovskii <patchkov () UCALGARY CA>
Date: Wed, 13 Sep 2000 11:38:43 -0600

On Wed, 13 Sep 2000, Doug Hughes wrote:

Since I don't recall anybody else posting one, here is a simple, generic,
setuid wrapper that people could use around, for instance, /usr/bin/eject
or other setuid programs.


Yeah, it will certainly make it unnecessary to go through the bother of
exploiting any of the format string bugs. However, it is quite unlikely
to make your systems any safer:

#include <unistd.h>

int
main( int argc, char *argv[] )
{
execl( argv[1], "./gotcha", NULL ) ;
}

#include <stdio.h>
#include <stdlib.h>


main (int argc, char *argv[]) {

      char *origfile;
      char *envp[1] = { (char *) NULL };

      if ((origfile = (char *) malloc(strlen(argv[0])+6)) == NULL) {
              perror("allocating memory");
              exit(1);
      }
      strcpy(origfile, argv[0]);
      strcat(origfile, ".orig");

      execve(origfile, argv, envp);
}


---
Home page: http://www.cobalt.chem.ucalgary.ca/ps/

Current thread:

Re: Format String Attacks, (continued)
- - Re: Format String Attacks Dan Astoorian (Sep 14)
    - Re: Format String Attacks Casper Dik (Sep 15)
  - Re: Format String Attacks Pavel Kankovsky (Sep 14)
  - Re: Format String Attacks Dan Harkless (Sep 14)
    - Re: Format String Attacks Dan Harkless (Sep 14)
    - Re: Format String Attacks Dan Harkless (Sep 14)
    - Re: Format String Attacks Dan Harkless (Sep 15)
    - Re: Format String Attacks Dan Harkless (Sep 17)
  - Re: Format String Attacks Drazen Kacar (Sep 14)
    - Re: Format String Attacks Dan Harkless (Sep 14)
  - Re: Format String Attacks Serguei Patchkovskii (Sep 14)
- Re: Format String Attacks Rick Perry (Sep 14)
- Re: Format String Attacks Ajax (Sep 21)
  - Re: Format String Attacks Nate Eldredge (Sep 21)
  - Re: Format String Attacks Matthias Meixner (Sep 22)
  - Re: Format String Attacks jsl2 (Sep 22)
    - Re: Format String Attacks Ajax (Sep 25)