I'm not very experienced with Buffer Overflowing but I played a little
bit around and it seems even without the length-check it is not
possible to overwrite EIP - at least not in the 'normal' way.
The program seems to work correct even if you feed it with much more
chars than the buffer can take there is no error like "segmentation
fault" or something else like this.
I also used gdb and set a breakpoint at "exit".
Now running the programm with
(gdb) r `perl -e 'print "A" x 10000'`
gives also no error and I couldn't find a "41" in any register.
(gdb) c
only says "Continuing. Program exited with code 01.".
So what?
Does this "exit(1)" really prevents the program from being exploited?
greetings
Tom
------------------------------------
> I'm not a Linux C guru but i don't think that will help. You are still
> copying over memory.
> If I'm not wrong, exit(1) means "exit with failure", your program will
> signal to the OS that your program failed in execution.
> The only thing that would help you is to...
> #include <stdio.h>
> int main(int argc, char **argv)
> {
> char buf[100+1]; // + NULL
> strncpy(argv[1], buf, 100);
> exit(1);
> }
------------------------------------------------------------------------
To unsubscribe email security-discuss-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
