From owner-freebsd-questions@FreeBSD.ORG Mon Oct 18 01:41:58 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F157816A4CE for ; Mon, 18 Oct 2004 01:41:58 +0000 (GMT) Received: from lakermmtao11.cox.net (lakermmtao11.cox.net [68.230.240.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EAFA43D45 for ; Mon, 18 Oct 2004 01:41:58 +0000 (GMT) (envelope-from conrads@cox.net) Received: from dolphin.local.net ([68.11.30.24]) by lakermmtao11.cox.net (InterMail vM.6.01.03.04 201-2131-111-106-20040729) with ESMTP id <20041018014157.GVBI5406.lakermmtao11.cox.net@dolphin.local.net> for ; Sun, 17 Oct 2004 21:41:57 -0400 Received: from dolphin.local.net (localhost.local.net [127.0.0.1]) by dolphin.local.net (8.13.1/8.13.1) with SMTP id i9I1fvBm082612 for ; Sun, 17 Oct 2004 20:41:57 -0500 (CDT) (envelope-from conrads@cox.net) Date: Sun, 17 Oct 2004 20:41:52 -0500 From: "Conrad J. Sabatier" To: freebsd-questions@freebsd.org Message-ID: <20041017204152.4046638e@dolphin.local.net> In-Reply-To: <20041018000118.GB664@gothmog.gr> References: <4172F3D2.8040200@uiowa.edu> <20041018000118.GB664@gothmog.gr> X-Mailer: Sylpheed-Claws 0.9.12b (GTK+ 1.2.10; amd64-portbld-freebsd6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: No Buffer Overflow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 01:41:59 -0000 On Mon, 18 Oct 2004 03:01:18 +0300, Giorgos Keramidas wrote: > On 2004-10-17 17:36, Jason Dusek wrote: > > Hi Everyone, > > > > I am reading an intro to shell-coding, and the following program is > > used as a simple example of vulnerable code: > > > > : int > > : main(int argc, char **argv, char **envp) > > : { > > : char buf[256]; > > : strcpy(buf, argv[1]); > > : > > : return 0; > > : } > > > > When I run this code like this: > > > > 18 > vuln > > Segmentation fault (core dumped) > > > > it segfaults, like the tutorial says. > > This invocation of the program segfaults because it tries to > dereference a NULL pointer while strcpy() runs. > > > In the tutorial this line: > > 19 > vuln `perl -e 'print "A"x256 . "BBBB" . "CCCC"'` > > > > also segfaults, but not on my machine. Is this some FreeBSD security > > feature? If this doesn't cause a segfault, does it still overflow? > > The overflow still occurs. You just happen to be overwriting random > stack data. By invoking undefined behavior, after writing past the > end of an array, you shouldn't expect to get predictable results; not > even a segmentation fault is guaranteed. I'm glad you replied to the OP, because the way he was showing his attempts to run the program, it looked like he was invoking some programs called "18" and "19" and redirecting their stdout to "vuln". You must have already been familiar with the book or tutorial he was referring to. :-) -- Conrad J. Sabatier -- "In Unix veritas"