Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too)
From: Valdis.Kletnieks () vt edu
Date: Mon, 09 May 2005 14:11:57 -0400

On Mon, 09 May 2005 10:09:59 PDT, Day Jay said:
We all saw how short the code was I had for that pwck
buffer overflow exploit. He also hardcodes the stack
pointer, hahah.

Note that there's absolutely nothing wrong with hardcoding the
stack pointer when the ABI makes it impossible for it to have
any other value.  And if you actually knew C well enough to read
the code, you'd see:

 * "Addr" is the predicted address where the shellcode starts in the
 * environment buffer. This was determined empirically based on a test
 * program that ran similarly, and it ought to be fairly consistent.
 * This can be changed with the "-a" parameter.
static long     addr = 0x7ffffc04;

So there's a default value, and a documented -a switch to change it if needed.

Compare and contrast this with:

  offset = 1700; //the offset I first found worked

Who's doing the hardcoding here? Steve or the guy who's code you ripped off?

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]