On Mon, 15 Dec 2003, Dave G. wrote: > Indeed. However, due to several mitigating factors, this issue doe not > appear to be exploitable (at least not with any of the techniques I am > aware of). The overflow occurs in main() and there is an unavoidable > exit() at the end of the function. So while you can overwrite the > return stack frame, the process will never use your new value. > But you overflow local varialbles, argc and argv**, so if the program ever uses it after the overflow, it might be possible to expoit it, _before_ exit(). See: http://www.phrack.org/show.php?p=56&a=5, at the end of "Oily way" part. We explained there how to exploit a code protected with a compiler placing a canary word before the RET. Of course a couple of conditions must be fulfilled. Regards, -- Mariusz Wołoszyn Internet Security Specialist, GTS - Internet Partners
