| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200505091811.j49IBwi2021812@turing-police.cc.vt.edu> Date: Mon May 9 19:12:08 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) On Mon, 09 May 2005 10:09:59 PDT, Day Jay said: > We all saw how short the code was I had for that pwck > buffer overflow exploit. He also hardcodes the stack > pointer, hahah. Note that there's absolutely nothing wrong with hardcoding the stack pointer when the ABI makes it impossible for it to have any other value. And if you actually knew C well enough to read the code, you'd see: /*------------------------------------------------------------------------ * "Addr" is the predicted address where the shellcode starts in the * environment buffer. This was determined empirically based on a test * program that ran similarly, and it ought to be fairly consistent. * This can be changed with the "-a" parameter. */ static long addr = 0x7ffffc04; So there's a default value, and a documented -a switch to change it if needed. Compare and contrast this with: offset = 1700; //the offset I first found worked Who's doing the hardcoding here? Steve or the guy who's code you ripped off? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050509/f607acf9/attachment.bin
Powered by blists - more mailing lists