Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: resend

From: casper () HOLLAND SUN COM (Casper Dik)
Date: Fri, 7 Aug 1998 21:37:21 +0200


No one worried much about stack-smashing in those days.  It would have
been a difficult attack, though, since the stack grew up, and local
variables would have been allocated after the save area.  (While the
current routine's save area didn't have the actual return address, by
convention it had a back-pointer to the previous save area at a fixed
offset from the start of the area.  The attack would have involved
creating a bogus save area with register 14 pointing to the new code,
then smashing the back pointer in the current save area.)



I don't think stacks growing upward help; remember that most exploits
in C involve on eof the unbounded copy routines and that those
overwrite the invocation record of the function calling sprintf/str* etc.
(Or one level deeper as on SPARC).

When the stack grows up, sprintf/str* will overwrite their own invocation
record/return address.  So it's actually easier as there's no code executed
between the return from str*/sprintf , instead those function return
directly to the exploit code.

Casper
Previous By Date Next
Previous By Thread Next

Current thread: