[Info-vax] A DCL wish list of sorts...
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Fri Mar 22 15:42:31 EDT 2019
On 2019-03-22, dgordonatvsi at gmail.com <dgordonatvsi at gmail.com> wrote:
> On Friday, March 22, 2019 at 11:04:38 AM UTC-4, pcanagno... at gmail.com wrote:
>
>>
>> Question: How does someone interject arbitrary instructions into the DCL table? I don't think the CDU supports hex escapes in strings. Perhaps that has been added.
>>
>> ~~ Paul
>
> It's the ability to overwrite the return address on the stack. Not all characters inside a quoted string need to be printable - you just need to be creative to get them in there. One of the CDU bugs (and there were many missed length and maximum item count bugs) allowed an over-length quoted string to be placed in the command table.
>
To Paul: In my case, I wrote a program which wrote out a .CLD with the
correct address within CTL$A_COMMON directly written into the prompt
string.
As DCL clearly uses either counted strings or descriptors for the
prompt (I don't know which as I have never seen the VMS source code),
I was able to directly enter 0x00 nulls into the prompt string without
having to worry about the copying of the prompt terminating when the
embedded nulls (as part of the address) were encountered.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list