|
an mi program can create a system pointer and the callx instruction will call the program that the system pointer points to. theoretically, an MI program can root around in the automatic, static and heap storage space of a job, looking for system pointers, then materialize the pointer to determine the program that the system pointer points to. Once you find the pointer you are looking for, your MI code replaces that pointer with one that points to another program. Lets say you have such an MI program but you cant restore it on the system. A CL or RPG program can, on the fly, build an array containing the MI statements of an MI program. Then, if you are authorized, your CL program can call the QPRCRTPG API. That API will compile the MI source code in the array and create a program. What if you want code that runs everytime an RPG program writes to a database file or reads from a display device? The SEPT ( system entry point table ) of a job contains resolved pointers to system programs. Not sure if a job can write to the SEPT, but if it can, an MI program could hook an entry in the sept - say one of the data management programs that handles database file i/o in an rpg400 program. Once hooked, every subsequent call in the job to that SEPT entry would actually call your MI program. Your MI program would run, do whatever special processing you want it to do, then in turn call the actual system program with the parms unchanged. An example of this might be to intercept writes to a display device and redirect the I/O to a web browser. All theory of course. The SEPT hook is something I always wanted to try but did not have the nerve for. What is the worse that could happen? A system crash?? -Steve -----Original Message----- From: mi400-bounces@xxxxxxxxxxxx [mailto:mi400-bounces@xxxxxxxxxxxx]On Behalf Of Walden H. Leverich Sent: Tuesday, July 19, 2005 4:09 PM To: mi400-l@xxxxxxxxxxxx Subject: [MI400] Buffer overflow and code execution on iSeries On the Midrange-L list someone made the following comment about BIND and buffer overrun. >remote execution via buffer overflow doesn't seem likely or possible on an iSeries box. Now, that got me thinking, and maybe I just need to go read Leif's book again, but... Program A has it's storage space, and let's say there's a field called 'FLD1' in that space, now, as we all know, when I call program B and pass it FLD1 as a parm, only the address goes over, so if FLD1 is 30 bytes in program A, but it's 60 bytes in program B I can overwrite whatever is in memory after FLD1 in program A. Now, that _might_ be FLD2, right? What if FLD2 is the pointer to program C. Could program B change the value in FLD2 such that on the next attempted call to program C I actually called something else? Is this where I'd get caught by the tagged-pointer validation? But couldn't I load the appropriate values into the memory to make a valid pointer, I know you can create one per-Leif's book. So, as I'm thinking about it, code execution via buffer overrun is unlikely, ne, VERY unlikely, on iSeries, but it _is_ possible. Right? -Walden ------------ Walden H Leverich III Tech Software (516) 627-3800 x11 WaldenL@xxxxxxxxxxxxxxx http://www.TechSoftInc.com <blocked::http://www.techsoftinc.com/> Quiquid latine dictum sit altum viditur. (Whatever is said in Latin seems profound.) _______________________________________________ This is the MI Programming on the AS400 / iSeries (MI400) mailing list To post a message email: MI400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/mi400 or email: MI400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/mi400.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.