On Fri, 23 Jul 2004 02:24:39 EDT, infamous41md_at_hotpop.com said:
> a question about exploiting the samba vuln.
>
> if (*s == '=') n -= 1;
>
> /* fix up length */
> decoded.length = n;
>
> memcpy(s, decoded.data, decoded.length);
> if n == 0 before it is decremented, then it will wrap around to ~0 and the
> memcpy will eventually SEGFAULT. but can you exploit it still?
I haven't actually looked at the code, but several things come to mind:
1) Sometimes, being able to cause a segfault is more than sufficient by itself,
if your goal is to cause a DoS....
2) Being able to cause a DoS is a good start to playing a MITM attack against
somebody else...
3) A full root-shell type exploit will depend on whether you can cause the
memcpy() to leave interesting bytes at the right places - remember that you can
potentially go quite a long way before actually segfaulting. Note well that
not only will we walk off the end of the string 's', but we will ALSO most
certainly go strolling off the end of decoded.data. So focus your attention on
what's immediately following decoded.data in memory, keeping in mind that you
may have to rely on "stuff left over by previous packet". So you may end up
having to send ONE bogus packet to force an malloc() or leave stuff on the
stack, and then the NEXT packet walks off the end of decoded.data and picks up
what was in the malloc or left on the stack by a previous function.
Hopefully those thoughts help....
- application/pgp-signature attachment: stored
Received on Jul 24 2004
Intro
