Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: vulnerabilities in this code chunk

Re: vulnerabilities in this code chunk

From: <bluepass_at_gmail.com>
Date: 28 Jul 2007 00:18:47 -0000
('binary' encoding is not supported, stored as-is) It is vulnerable to heap overflows.

An unsigned int and an unsigned long have the same size (4 bytes), as well as the same range (0 to 4294967295). The function 'copy_data()' takes 'data_len' as an unsigned int. The function 'memcpy()' takes its parameter as a 'size_t' which is nothing but an unsigned long.

If we send 'data_len' as 0xFFFFFFF8, when the 8 is added inside 'malloc()' it will become 0x100000000, and 1 being an overflow it will be dropped. Note that this overflow is not the same as the heap overflow. This will cause 'malloc()' to allocate no space, however it will return an address.

When the data will be added to it with 'memcpy()' it will cause a heap overflow. With a good shellcode as 'data' and knowing that its address will be buf+8, you can execute arbitrary code.

- BluePass
Received on Jul 30 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos