Re: can this overflow lead to exploitation?

[ArcSighter Elite <arcsighter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

pen-test wrote:
> Just doubt, when the url is above 1 MB the app crashes and dump the
> memory, if a byte less, then no prob.Just Invalid url from
> application.
> But i cant see my 1024 bytes of "aaaaa" any where in stack nor app
> memory and also none of the regs are affected by this loooong url,
> what am i missing here?
>
> On Wed, Feb 11, 2009 at 3:46 AM, shellcoder1 <shellcoder1 () gmail com> wrote:
> > can you control any register ?
> > how did you know this is a buffer overflow?
> > what did you see when you load it in a debugger?
> >
> >
> > I suggest reading about the subject first before going on.
> >
> > pen-test wrote:
> > > Hi all,
> > >
> > > Just need some help exploiting a doubtd buffer overflow, Well, the
> > > scenario is, i found a cute little app of my friend, vulnerable to overflow(?).
> > > But i can't say at this time whthr itz exploitable or not. Thatz why i
> > > need help,
> > >
> > > Ok, what you do when u doubt thrz a chance of exploitation, if an app
> > > get crashed, when given an arbitrary long URL/filename?
> > >
> > > In my case the app crashed with a MessageBox from the exception
> > > handler that the "app terminated unexpectdly" and giving a dmp, I just
> > > ran the mem dump thru VS 2005 and got "an Unhandled exception at
> > > 0x019f57b0 in app.exe: 0xC0000005:Access violation writing location
> > > 0xd357a29f." Seems a null pointer usage, but not sure.
> > >
> > > Hmmm, following me?
> > >
> > > Now pls help me analyse the case and if exploitable, how? Any online
> > > documentations, e-books ? Above all any experts in buff overflow
> > > exploitation?
> > >
> > > Thanks ahead,
> > >
> > > Tom

Identifying a security issue as exploitable is a bit difficult and so it
 requires some knowledge.
As I already said if you can control a dword that is being used to write
to a memory address (*dword) then you could probably exploit the issue.
In determining the vulnerability, it's hard to tell without looking at
the code, so you have to tell us, basically:
1- How long is the buffer?
2- Where does the overflow, if any, ocurrs, stack, heap or data section?
3- How many bytes you can overflow?
4- What are the restricted chars in your input? (See 6).
5- Which compile-time/OS protections are in place?
6- Following the data-flow of your input, it is
transformed/stripped/modified somehow?

That's a good starting point IMHO.

Sincerely.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJlGlfH+KgkfcIQ8cRAkZvAJ9d9wFTkyAUNiIoteqPciSEOh0MbwCg3Rme
L3iNLmf0rtMYnXqZNThKNJ4=
=CQC5
-----END PGP SIGNATURE-----