hello, This advisory intends to present a new way to make a return to lib C exploit. Synopsis -------- By using the environment variables one could easily exploit a buffer overflow with the return into lib C technic. Details -------- If we make an analogy with the shellcode technic : the \x20 act as \x90. For the system() function the sting "/bin/sh/" is equal to " /bin/sh". the return address overflowed is the system() address. the arg address will be our variables environment address. It give flexibility to the arg passed and help to chaining the return to lib C. Article ------- Related article describing this technic and example source code : http://www.bursztein.net/secu/rilc.html This technic should open a new range of exploits using the return into lib C. Sincerely, Elie aka "Lupin" Bursztein ___________________________ icq : 32228319 mail : elie@bursztein.net web : www.bursztein.net ___________________________ "Simplicity is difficulty"
