Bugtraq mailing list archives

Using Environment for returning into Lib C

From: "Elie aka \"Lupin\" Bursztein" <elie () bursztein net>
Date: Tue, 26 Feb 2002 19:27:59 -0800


hello,
This advisory intends to present a new way to make a return to lib C exploit.

Synopsis
--------

By using the environment variables one could easily exploit a buffer
overflow with the return into lib C technic.

Details
--------
If we make an analogy with the shellcode technic :
the \x20 act as \x90. For the system() function the sting "/bin/sh/" is equal
to "          /bin/sh".
the return address overflowed is the system() address.
the arg address will be our variables environment address.
It give flexibility to the arg passed and help to chaining the return to lib C.

Article
-------

Related article describing this technic and example source code :http://www.bursztein.net/secu/rilc.html


This technic should open a new range of exploits using the return into lib C.



Sincerely,

Elie aka "Lupin" Bursztein
___________________________
icq  : 32228319
mail : elie () bursztein net
web  : www.bursztein.net
___________________________
"Simplicity is difficulty"

Current thread:

Using Environment for returning into Lib C Elie aka "Lupin" Bursztein (Feb 27)