Tom Weinstein writes:
While it is certainly true that you can stomp on memory in static buffers, it's not clear that you can execute whatever code you insert there. If the buffer happens to be allocated off the stack (and the stack grows down) then you can modify the return address. Of course, you have to know the address of whatever code you want to execute.
Lets say, Mr. Weinstein, that you shove some code onto the stack along with the return address, and the address happens to be the code. If you don't believe it can be done, its easy enough to demonstrate it on your machines, which I believe suffer from the syslog(3) bug, which your company hasn't patched so far as I know, and which afflicts the Sendmail daemons you ship with your machines. See the recent 8lgm bug report if you want details.
Of course, that also assumes that you can execute from the data area which is not always true.
Its usually true on modern machines -- its very difficult to rig things otherwise given the way that lots of the dynamic loading works these days. Perry