Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: spike bug?

From: Avri <avri.schneider () gmail com>
Date: Tue, 9 Aug 2005 14:01:54 -0700
Ok... so I found a reference to this bug...

Answer 'A' is not good enough imo- the socket being closed could mean
that the connection was dropped by the target app due to an invalid
parameter which does not cause a crash, and a different value may
crash it. In my case, my XP box was patched and sending the bad RDP
packet to it made it drop the connection (I forgot I left it on
auto-update). But as I said, maybe a certain value would be treated
differently causing a connection reset but no crash, but a certain
different value would cause a crash...
You might not get that different value sent due to spike exiting and
not continuing the fuzzing... I think it's better to add "if (fd==-1)
return(0);" s_fd_wait() which keeps the fuzzer going...

Regards,
Avri

======================================================

From PSHARMA4 at bloomberg.net  Tue Aug 12 12:45:07 2003

From: PSHARMA4 at bloomberg.net (PRANAV SHARMA, BLOOMBERG/ 499 PARK)
Date: Tue Aug 12 10:53:42 2003
Subject: [Spike] spike seg faults
Message-ID: <2960_1095_1060703106_791@inet3-p057>

Hi guys n gals,
any idea what do u do with this:
after running for some time the fuzzer seg faults:

Couldn't tcp connect to target

Program received signal SIGSEGV, Segmentation fault.
0x0804e9ac in s_fd_wait () at spike.c:1372
1372      FD_SET(fd, &rfds);
Please let me know,
thanks, 
JustDoIt.




From dave at immunitysec.com  Tue Aug 12 17:52:36 2003

From: dave at immunitysec.com (dave () immunitysec com)
Date: Tue Aug 12 16:52:39 2003
Subject: [Spike] spike seg faults
In-Reply-To: <2960_1095_1060703106_791@inet3-p057>
References: <2960_1095_1060703106_791@inet3-p057>
Message-ID: <49787.24.193.40.199.1060721556.squirrel () www immunitysec com>

A) One possibility is that SPIKE has killed the remote service...SPIKE
then seg faults because I don't think that version has any error checking.
:>

B) Another possibility is that your SPIKE script is not closing sockets
when it's done with them. This is causing your fd_set to get really large,
which is overwriting various things on the stack. A fun security bug if
your SPIKE script is setuid (which it's not).

Hopefully the answer is A) since that means SPIKE has found some sort of
bug in your target application. :>

-dave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: