Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Yahoo pager

From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Thu, 31 Aug 2000 13:26:37 +0200
eip=61616161

The first few times I tried to crash YM I used random characters until YM
prevented me from entering more.  When I was figuring the buffer limit I
used "a"'s, I don't think the character makes a difference.


without knowing where the 0x61's comes from, I'd really say it might be
jumping to conclusions. Perhaps this is an broken snprintf implementation
which forgets to nullterminate on overflows, or something similary. Then
we ''only'' have to figure out where the arrays of 0x61 is used and make
the appropriate sequence to make YM change it.

A bit work though ;)

Anyone up to the challenge?
Anyone contacted yahoo about the issue?

/me off to take a nap, work - what an horrible thought :)

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team
Previous By Date Next
Previous By Thread Next

Current thread: