From owner-freebsd-chat Wed Dec 8 11:30:17 1999 Delivered-To: freebsd-chat@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 449761585B; Wed, 8 Dec 1999 11:30:02 -0800 (PST) (envelope-from bright@wintelcom.net) Received: from localhost (bright@localhost) by fw.wintelcom.net (8.9.3/8.9.3) with ESMTP id LAA16387; Wed, 8 Dec 1999 11:58:23 -0800 (PST) Date: Wed, 8 Dec 1999 11:58:23 -0800 (PST) From: Alfred Perlstein To: Jonathon McKitrick Cc: Kris Kennaway , freebsd-chat Subject: Re: Yahoo hacked last night In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 8 Dec 1999, Jonathon McKitrick wrote: > On Wed, 8 Dec 1999, Kris Kennaway wrote: > >worth the effort given the expected rewards. Hell, even SSH has had buffer > >overflows.. > > One thing i never understood... why does a buffer overflow automatically > cause a root shell, or does it always? I mean, when i crash > programs, i get a core dump and that's it. Even with segmentation faults, > the memory protection seems quite robust, and the OS stays on its feet. > I've never been dropped to root on my own system, despite crashing. For a function to be able to return to its caller it must store the return address on the stack, what a buffer overflow generally does is overwrite that return address with a pointer to some more data on the stack which is actually machine instructions to exec a shell. When the function returns, it gets hijacked, it never returns to its caller, it jumps into its own stack and exec's a shell. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message