mailing list archives
Re: your mail
From: stuckey () mrcnext cso uiuc edu (Anthony J. Stuckey)
Date: Wed, 27 Sep 1995 15:05:13 -0500
Hey folks, I need to know about this 'stack overwriting thing'
thet is so lively discussed. As I understand it (and correct me
if I'm wrong), the point is to pass in data to a non-bound
checking routine (like syslog), and make it so constructed
that it 'rewrites' some parameters on the stack.
Subsequent routines will then pop these phoney params and
off we go...
Am I right? Can anybody provide me with more detailed info
and perhaps some harmless example (please please please!!!)
BTW, I am thinking about a possible bug in programs, that open
files R/RW and tell them to be opened across exec()'s. They maybe
setuid() in time, but forget to close the file descriptor (hmm).
Go check it out!
It's simple programming from cs 102, really.
When you make a function call, your stack looks like this:
function parameters from parent
return addressing information
local variables for current function.
It's very easy to see that overwriting local variables trashes the value
of others or the stack pointer. Usually this results in harmless crashes.
If you're very clever and know the exact size of the local buffer you're
trying to overwrite, as well as some memory addressing information, you can
attempt to get some form of viral code executing.
strcpy(), sprintf(), and other functions that don't do bounds checking
are basically evil, especially when combbined with random data pulled in
from out of the machine.