Tom Weinstein writes:
Lets say, Mr. Weinstein, that you shove some code onto the stack along with the return address, and the address happens to be the code.
I never disputed that it could be done, I was just uncertain as to how easy it would be.
Its pretty obvious.
If you don't believe it can be done, its easy enough to demonstrate it on your machines, which I believe suffer from the syslog(3) bug, which your company hasn't patched so far as I know, and which afflicts the Sendmail daemons you ship with your machines. See the recent 8lgm bug report if you want details.
Hmm, could you explain how to exercise this bug? Perhaps a sample program?
I can tell you in general terms -- I don't write MIPS assembler myself. However, I will point out to you that you use an ancient Sendmail, and that it uses syslog(3) on user produced data, and that syslog uses a static buffer. Trick sendmail into logging something very big, and you can do what you like. The 8lgm people wrote a demo for Sparc as a proof of concept. Perry