> And I forgot to mention one more requirement: the vulnerable binary has to
> be dynamically linked for this exploit method to work. Otherwise only the
Probably almost nobody links everything running with root priveleges
statically...
> functions that the program actually uses are available in the exploit, so
> that creating a generic exploit isn't possible. Also, it is only possible
> to return into _one_ libc function (well, there's a special case when that
> function got exactly one argument), so stuff like open() a file and write()
> there will not work. This means some statically linked vulnerable programs
execv() is often sufficient...
[snip]
Martin