If the length of FROM is more than SIZE, then `strncpy' copies
     just the first SIZE characters.  Note that in this case there is
     no null terminator written into TO.

     no null terminator oh my.

     At that point, as they say, the rest^H^H^H^Hsystem is history...

   Nope, I would never have got this, I'll still run the example to see what
   happens 'first hand' though. 

     [Ben]  The actual mechanism, which can be seen by disassembling the
     corefile, is a stack smash via a free() call overrun.

jail@Fenrir:~$ gdb -q -c core smash
Core was generated by `./smash
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  0x40096acf in _int_free () from /lib/libc.so.6
(gdb) x/i $eip
0x40096acf <_int_free+191>:     mov    %eax,0xc(%edx)
(gdb) info reg eax edx
eax            0x34333231       875770417
edx            0x44434241       1145258561
(gdb)

     Joel Eriksson did a very impressive demo of getting root with the above
     proglet in the vulndev forum. He used Solar Designer's shellcode, computed
     the EIP, and pushed the shellcode onto the stack; voila . This, of course,
     required the proglet to be SUID. Took ~20 lines of C.

   I'm still challenged with a modem, I've got a HCF modem that refused to work
   correctly when I upgraded my motherboard, I'm going to dig it out and play
   with it some more [grin]. 

     [Ben] [39]http://linmodems.org :)

   Yeah, my modem used to work, but I just upgraded from a Duron to Athlon XP
   on  a  new board and the modem didn't work correctly, as I had a spare
   external modem, although only 33.6 kbs, I used that instead, too lazy to
   sort it out. Now my dog's busy digesting big chunks of the power supply I'm
   forced to get HCF modem running. 

   Take care, 

   Steve Brown. 
            ____________________________________________________

Re: Dual "Linux Gazette"?

   Sun, 6 Jun 2004 13:49:40 -0400
   Ben Okopnik ([40]LG Technical Editor)
   Question by God Rudy (Dpfrdtrky from netscape.net)

   Hello Linux Gazette and Editor; 

     [Ben] Hi, Rudy -

   I hope that this is the correct mailbox for my "old" question. About last
   december i noticed that "www.linuxgazette.com" changed it pages drasticaly,
   to the bad. Through a longer search, i found "linuxgazette.net" (the "old
   version"). 

   What happend? 

   I was reading backissues of both versions trying to find some answers --> no
   much succes! 

     [Ben] The answer can be found in the cover article that I wrote when we
     separated  from  SSC  (the  hosts  of  LG.com)  -  take  a  look at
     [41]http://linuxgazette.net/issue96/reborn.html . We've actually been
     trying to contact readers like yourself, trying to get the word out that
     the original Gazette and the original mission are still very much in
     operation and going full force; unfortunately, we have not had much
     success, particularly since SSC has acted very hostile indeed throughout
     the entire process and has supressed any mention of us in their pages.

     We still have a large number of readers, mirrors, and translators, but I
     wish there was a way to notify people like yourself of the change. If you
     have any ideas on that score, please feel free to let me know.

   Rudy (just another garden variety God :-) 

     [Ben] Aren't we all? :)

   Hello Ben; 

   Thanks. 

   Found it! I was expecting something with more "flags". I was just looking
   for the wrong thing :-) 

   Rudy 
            ____________________________________________________

Re: Foolish things....