> In message <Pine.LNX.3.96.980804182414.7515A-100000@z.ml.org>,
> linker@z.ml.org
> writes:
> +-----
> | On Wed, 5 Aug 1998, Geert Uytterhoeven wrote:
> | > On Tue, 4 Aug 1998 linker@z.ml.org wrote:
> | > > As for changing the address to someplace in libc, couldn't we relocated
> | > > all libs so that they have a null byte in their address?
> | > What are you trying to achieve with this? Sorry, I don't get it.
> |
> | The copy routines that people exploit copy null terminated strings. So the
> | exploiter must make their exploit code void of null characters, because
> | sending one will stop the copy. If you make it tougher to form a pointer
> | to that 'bad' functions without using null characters then it makes their
> | job harder.
> +--->8
>
> So they do two copies instead of one, with the second placing the NUL where
> it's wanted. I see no major improvement here.
Minor problem with that thought: How do they get the program to copy to
the same buffer twice? :) They can't control the program, and I seriously
doubt you could get any program to do that.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html