I'll try, i've just been reading my first book about how this works. I'm a somewhat junior programmer so my understanding is somewhat lacking. I believe that it is possible because of the way things are represented in memory, when you're taking in input from a user, so something like this:
void somefunc(char * someNastyUserspaceStrings) { char mybuf[32] = someNastyUserspaceStrings; ... } The attacker sends a longer than 32 byte string into that 'untrusted user input', putting code which overwrites the return address of the function that should be in memory at or near? the end of the buffer, with the address of a function call of your choice. Someone else can probably explain that part better. So rather than executing what you've specified when the function returns, it proceeds to the attacker's nasty code. If hlds_l is running as root, that can be pretty bad. Because the attacker can setup any arbitrary code to run, they could say start a shell on port 17000, change root's password to what they want, connect to it, and be root on your system. There's many reasons why services that are known to run as root have been attacked over the years, if the service runs as root and i can overflow a buffer, I become root (hence the term 'rooted') with the right script. At 09:26 PM 1/10/2003 +0100, you wrote:
Sebastian Steinlechner wrote: > Actually, this advisory isn't researched to the end. The main problem > lies in cl_dll's text_message.cpp. Looking at > CHudTextMessage::MsgFunc_TextMsg() it's clear to see that there are > MANY potential buffer overflows. e.g., READ_STRING is able to return > a char array as long as 2048 chars, however, MsgFunc_TextMsg() does > only declare an array of 128 chars, where the string returned by > READ_STRING is copied into via strcpy without any checks. And ? What can be done if a buffer overflows ? It's perhaps a basic question, but I really don't know anything about *hacking*. And I'm sure I'm not the only one there :) Well, explain it only if it can't give enough info about making hack for HL ! - Cortex : HL ALBATOR coder & mapper - [EMAIL PROTECTED] & ICQ : 71548738 _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlcoders
Pat 'sluggo' Magnan Tour of Duty mod http://www.tourofdutymod.com _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlcoders