Re: VisualExploit.py

[Daryl Tester <Daryl.Tester () iocane com au>]

Dave Aitel wrote:

> This is more properly called a "Visual Language", not to be 
> confused with Visual Studio.

I've always thought the shining example of a Visual Language is
Cube, by Marc Najork et. al.  I did a quick Google, but couldn't
come up with any "purdee pictures" (if you've got DDJ's Dec 1995
"Visual Programming" issue, it's got a great cover shot of Cube).

I'm wondering what the overall effect of "lowering the bar" would
be - would vendors then make a more concerted effort to writing
"better" (read: more secure) programs before releasing?  Would
they use the tools themselves?  Pehaps you could call it "Pandora's
Boxes"?  :-)

> o Wizards can enforce good coding practices for exploits - even good 
> Python programmers sometimes use str+=str2, which is bad exploit coding 
> practice since it changes string size. (Hi Rich)

I don't think so.  Strings are still immutable under Python - all
str += str2 gives you is a new str (and the old str is garbage
collected).  It's still equivalent to str = str + str2.

$ python
Python 2.3.3 (#1, May  7 2004, 10:31:40)
[GCC 3.3.3 20040412 (Red Hat Linux 3.3.3-7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
> > > str = 'hi'
> > > str_ref = str
> > > str2 = ' there'
> > > print id(str), id(str_ref), id(str2)
-151574432 -151574432 -151574176
> > > str += str2
> > > str
'hi there'
> > > print id(str), id(str_ref), id(str2)
-151574112 -151574432 -151574176

Note that str's id changed, but str_ref's stayed the same.


--
Regards,
 Daryl Tester,  Software Wrangler and Bit Herder, IOCANE Pty. Ltd.

"I have read of a place where humans do battle in a ring of Jell-O."
 -- Teal'c, SG-1
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave