the trick here is to use a wrapper program to that calls the executable
without *any arguments* including argv[0]
at that point argc == 0 argv[0] == NULL
and argv[1] is somewhere in the the environmental variables..
and.. as an asside, when playing wargames.. its usually best not to cheat or
you really get nothing out of it.
-phar
----- Original Message -----
From: <padre_at_correo.ugr.es>
To: <vuln-dev_at_securityfocus.com>
Sent: Tuesday, May 23, 2006 1:51 PM
Subject: argc issue
hi!
i' ve a code thats looks like:
------------------- code ----------------------
int main (int argc, char **argv)
{
char *a;
char *b;
a=malloc(char *)(100);
b=malloc(char *)(100);
if (argc)
exit (-1);
else {
strcpy(a,argv[1]);
}
free (a);
return 0;
}
---------------- code ---------------------------
I contais an explotable heap overflow. I can overwrite b's chunk head so I
can write into DTOR_END the addr i want.
But the main issue is " if (argc) exit(0);" . How can I change the argc
variable so it contais the value of 0?.
thanks and srry for my poor english :(
Received on May 26 2006
Intro
