Date: Thu, 9 Dec 1999 14:14:13 -0600 From: "Gene Harris" <zeus@tetronsoftware.com> To: <freebsd-questions@freebsd.org> Subject: RE: Yahoo hacked last night Message-ID: <51F9B228ED26D311A17700A0C9982664010A95@tetboss.tetronsoftware.com> In-Reply-To: <54F9B228ED26D311A17700A0C998266401B46F@tetboss.tetronsoftware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > For a function to be able to return to its caller it must store the > return address on the stack, what a buffer overflow generally does > is overwrite that return address with a pointer to some more data > on the stack which is actually machine instructions to exec a shell. > This would imply that if a developer were to change the order of declarations of the automatic variables, particularly byte arrays, that a buffer overflow attack could be thwarted, after recompiling the daemon in question? This might still cause the daemon to crash, but at least the bad code would be thwarted. > When the function returns, it gets hijacked, it never returns to its > caller, it jumps into its own stack and exec's a shell. > We used code like that back in the days of the 286 to make copy protection more difficult to decipher. That is until folks started hacking in addresses into our push statements. *grin* push SEGMENT(myfunc) push OFFSET (myfunc) ret This used to drive the disassemblers crazy for a while. Gene To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51F9B228ED26D311A17700A0C9982664010A95>