From owner-freebsd-questions Thu Dec 9 12:13:15 1999 Delivered-To: freebsd-questions@freebsd.org Received: from tetron02.tetronsoftware.com (ftp.tetronsoftware.com [208.236.46.106]) by hub.freebsd.org (Postfix) with ESMTP id 5840D156ED for ; Thu, 9 Dec 1999 12:13:11 -0800 (PST) (envelope-from zeus@tetronsoftware.com) Received: from development (development.tetronsoftware.com [10.0.0.3]) by tetron02.tetronsoftware.com (8.9.3/8.9.3) with SMTP id OAA10211 for ; Thu, 9 Dec 1999 14:16:15 -0600 (CST) (envelope-from zeus@tetronsoftware.com) Reply-To: From: "Gene Harris" To: Subject: RE: Yahoo hacked last night Date: Thu, 9 Dec 1999 14:14:13 -0600 Message-ID: <51F9B228ED26D311A17700A0C9982664010A95@tetboss.tetronsoftware.com> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <54F9B228ED26D311A17700A0C998266401B46F@tetboss.tetronsoftware.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > For a function to be able to return to its caller it must store the > return address on the stack, what a buffer overflow generally does > is overwrite that return address with a pointer to some more data > on the stack which is actually machine instructions to exec a shell. > This would imply that if a developer were to change the order of declarations of the automatic variables, particularly byte arrays, that a buffer overflow attack could be thwarted, after recompiling the daemon in question? This might still cause the daemon to crash, but at least the bad code would be thwarted. > When the function returns, it gets hijacked, it never returns to its > caller, it jumps into its own stack and exec's a shell. > We used code like that back in the days of the 286 to make copy protection more difficult to decipher. That is until folks started hacking in addresses into our push statements. *grin* push SEGMENT(myfunc) push OFFSET (myfunc) ret This used to drive the disassemblers crazy for a while. Gene To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message