Vulnerability Development mailing list archives
Possibly exploitable overflow in Alibaba 2.0
From: dullien () GMX DE (Thomas Dullien)
Date: Thu, 28 Oct 1999 16:57:43 +0200
Hello all together, Tried a little freeware webserver named Alibaba 2.0 today and found an exploitable overflow. I telnetted to 127.0.0.1:80 and crashed it using POST [enter 1028 'x'] / HTTP/1.0 scanf("%s %s %s", szName, szFile, szSomething); where szFile is a local variable of 0x400 (=1024) bytes on the stack directly above the return address. Coding an exploit for this is going to be a little tricky as it mustn't have any 0x20, 0x00, 0x61-0x7A in it since these bytes are changes by the foregoing function that converts everything into uppercase. I contacted the authors but they stated since its freeware there will be no support to it :) If someone wants to code a full exploit, go ahead :)
Current thread:
- Possibly exploitable overflow in Alibaba 2.0 Thomas Dullien (Oct 28)
- Re: Possibly exploitable overflow in Alibaba 2.0 W.H.J.Pinckaers (Oct 29)
- FreeBSD listen() again 3APA3A (Oct 30)
- Re: FreeBSD listen() again Sebastian (Oct 30)
- Re: Possibly exploitable overflow in Alibaba 2.0 Blue Boar (Oct 30)
- <Possible follow-ups>
- Re: Possibly exploitable overflow in Alibaba 2.0 Thomas Dullien (Oct 30)