Vulnerability Development mailing list archives

Possibly exploitable overflow in Alibaba 2.0

From: dullien () GMX DE (Thomas Dullien)
Date: Thu, 28 Oct 1999 16:57:43 +0200


Hello all together,

Tried a little freeware webserver named Alibaba 2.0 today
and found an exploitable overflow. I telnetted to 127.0.0.1:80
and crashed it using
POST [enter 1028 'x'] / HTTP/1.0

scanf("%s %s %s", szName, szFile, szSomething);

where szFile is a local variable of 0x400 (=1024) bytes
on the stack directly above the return address.
Coding an exploit for this is going to be a little tricky as
it mustn't have any 0x20, 0x00, 0x61-0x7A in it since
these bytes are changes by the foregoing function
that converts everything into uppercase.

I contacted the authors but they stated since its freeware
there will be no support to it :)
If someone wants to code a full exploit, go ahead :)

Current thread:

Possibly exploitable overflow in Alibaba 2.0 Thomas Dullien (Oct 28)
- Re: Possibly exploitable overflow in Alibaba 2.0 W.H.J.Pinckaers (Oct 29)
- FreeBSD listen() again 3APA3A (Oct 30)
  - Re: FreeBSD listen() again Sebastian (Oct 30)
- Re: Possibly exploitable overflow in Alibaba 2.0 Blue Boar (Oct 30)
- <Possible follow-ups>
- Re: Possibly exploitable overflow in Alibaba 2.0 Thomas Dullien (Oct 30)