Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ferret

From: "Robert Wesley McGrew" <wesley () mcgrewsecurity com>
Date: Tue, 6 Mar 2007 09:26:26 -0600
On 3/6/07, Phrack Senate Omniscient <phracksenate () gmail com> wrote:


Ferret-1/Ferret/http.c:
void process_simple_http(struct Seaper *seap, struct NetFrame *frame,
const unsigned char *px, unsigned length) {
        char method[16];
        ...
        x=0;
        while (i<length && !isspace(px[i])) {
                if (x < sizeof(method) -1) {
                        method[x++] = (char)toupper(px[i++]);
                        method[x] = '\0';
                }
        }

ur code getting owned in less than 60 seconds: priceless


Not that this isn't bad (it is), but to get here, it has to pass this
check in tcp.c:

171     if (smellslike_httprequest(px, length))
172             process_simple_http(seap, frame, px, length);

It turns out the bounds-checking for this is actually done up in
smellslike_httprequest :

43      for (i=0; i<length && isspace(data[i]); i++)
44              ;
45      method = i;
46      while (i<length && !isspace(data[i]))
47              i++;
48      if (i>10)
49              return 0;

I would agree that process_simple_http should carry its own
bounds-checking with it though.  It would turn out badly if someone
tinkering decided to use that function without the corresponding
smellslike.


knowing that ur code prolly has a dozen other elementary errors
resulting in memory corruption: just fucking embarassing


This is probably still true.


Some at Black Hat called it "serious fucking business".


Maybe I should actually build this thing and play with it :P

--
Robert Wesley McGrew
http://mcgrewsecurity.com
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: