I'll try, i've just been reading my first book about how this works.
I'm a somewhat junior programmer so my understanding is somewhat lacking. I
believe that it is possible because of the way things are represented in
memory, when you're taking in input from a user, so something like this:
void somefunc(char * someNastyUserspaceStrings)
{
char mybuf[32] = someNastyUserspaceStrings;
...
}
The attacker sends a longer than 32 byte string into that 'untrusted user
input', putting code which overwrites the return address of the function
that should be in memory at or near? the end of the buffer, with the
address of a function call of your choice. Someone else can probably
explain that part better.
So rather than executing what you've specified when the function returns,
it proceeds to the attacker's nasty code.
If hlds_l is running as root, that can be pretty bad. Because the attacker
can setup any arbitrary code to run, they could say start a shell on port
17000, change root's password to what they want, connect to it, and be root
on your system.
There's many reasons why services that are known to run as root have been
attacked over the years, if the service runs as root and i can overflow a
buffer, I become root (hence the term 'rooted') with the right script.
At 09:26 PM 1/10/2003 +0100, you wrote:
Sebastian Steinlechner wrote:
> Actually, this advisory isn't researched to the end. The main problem
> lies in cl_dll's text_message.cpp. Looking at
> CHudTextMessage::MsgFunc_TextMsg() it's clear to see that there are
> MANY potential buffer overflows. e.g., READ_STRING is able to return
> a char array as long as 2048 chars, however, MsgFunc_TextMsg() does
> only declare an array of 128 chars, where the string returned by
> READ_STRING is copied into via strcpy without any checks.
And ? What can be done if a buffer overflows ? It's perhaps a basic
question, but I really don't know anything about *hacking*. And I'm sure I'm
not the only one there :)
Well, explain it only if it can't give enough info about making hack for HL
!
- Cortex : HL ALBATOR coder & mapper
- [EMAIL PROTECTED] & ICQ : 71548738
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlcoders
Pat 'sluggo' Magnan
Tour of Duty mod
http://www.tourofdutymod.com
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit:
http://list.valvesoftware.com/mailman/listinfo/hlcoders
