From owner-freebsd-questions@FreeBSD.ORG Mon Oct 18 00:01:30 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57DE916A4CE for ; Mon, 18 Oct 2004 00:01:30 +0000 (GMT) Received: from nic.ach.sch.gr (nic.sch.gr [194.63.238.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 808E543D45 for ; Mon, 18 Oct 2004 00:01:25 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: (qmail 27201 invoked by uid 207); 18 Oct 2004 00:01:23 -0000 Received: from keramida@ceid.upatras.gr by nic by uid 201 with qmail-scanner-1.21 (sophie: 3.04/2.19/3.81. Clear:RC:1(81.186.70.145):. Processed in 0.547437 secs); 18 Oct 2004 00:01:23 -0000 Received: from dialup145.ach.sch.gr (HELO gothmog.gr) ([81.186.70.145]) (envelope-sender ) by nic.sch.gr (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 18 Oct 2004 00:01:22 -0000 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.13.1/8.13.1) with ESMTP id i9I01JDJ001109; Mon, 18 Oct 2004 03:01:19 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.13.1/8.13.1/Submit) id i9I01ImU001108; Mon, 18 Oct 2004 03:01:19 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Mon, 18 Oct 2004 03:01:18 +0300 From: Giorgos Keramidas To: Jason Dusek Message-ID: <20041018000118.GB664@gothmog.gr> References: <4172F3D2.8040200@uiowa.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4172F3D2.8040200@uiowa.edu> cc: freebsd-questions@freebsd.org Subject: Re: No Buffer Overflow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 00:01:30 -0000 On 2004-10-17 17:36, Jason Dusek wrote: > Hi Everyone, > > I am reading an intro to shell-coding, and the following program is used as > a simple example of vulnerable code: > > : int > : main(int argc, char **argv, char **envp) > : { > : char buf[256]; > : strcpy(buf, argv[1]); > : > : return 0; > : } > > When I run this code like this: > > 18 > vuln > Segmentation fault (core dumped) > > it segfaults, like the tutorial says. This invocation of the program segfaults because it tries to dereference a NULL pointer while strcpy() runs. > In the tutorial this line: > 19 > vuln `perl -e 'print "A"x256 . "BBBB" . "CCCC"'` > > also segfaults, but not on my machine. Is this some FreeBSD security > feature? If this doesn't cause a segfault, does it still overflow? The overflow still occurs. You just happen to be overwriting random stack data. By invoking undefined behavior, after writing past the end of an array, you shouldn't expect to get predictable results; not even a segmentation fault is guaranteed. - Giorgos