> Ingo Molnar <mingo@redhat.com> writes:
>
> > ie. if the binary anywhere has code that does:
> >
> > system("/bin/sh")
>
> You just need system(char *arg) { ... } (= in every libc). Then put
> /bin/sh somewhere and a pointer to it on the stack as argument and
> overwrite some return address on the stack to jump to it.
well, how do you put the pointer on the stack if your only way to get into
the ASCII-area is to stop the overflow early and use the final \0 ? [and
the parameter has to be put _after_ the enclosing \0. ] It's not 100%
impossible, but in the common case looks quite unlikely.
Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/