Penetration Testing mailing list archives
Re: can this overflow lead to exploitation?
From: ArcSighter Elite <arcsighter () gmail com>
Date: Thu, 12 Feb 2009 13:24:32 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 pen-test wrote:
Just doubt, when the url is above 1 MB the app crashes and dump the memory, if a byte less, then no prob.Just Invalid url from application. But i cant see my 1024 bytes of "aaaaa" any where in stack nor app memory and also none of the regs are affected by this loooong url, what am i missing here? On Wed, Feb 11, 2009 at 3:46 AM, shellcoder1 <shellcoder1 () gmail com> wrote:can you control any register ? how did you know this is a buffer overflow? what did you see when you load it in a debugger? I suggest reading about the subject first before going on. pen-test wrote:Hi all, Just need some help exploiting a doubtd buffer overflow, Well, the scenario is, i found a cute little app of my friend, vulnerable to overflow(?). But i can't say at this time whthr itz exploitable or not. Thatz why i need help, Ok, what you do when u doubt thrz a chance of exploitation, if an app get crashed, when given an arbitrary long URL/filename? In my case the app crashed with a MessageBox from the exception handler that the "app terminated unexpectdly" and giving a dmp, I just ran the mem dump thru VS 2005 and got "an Unhandled exception at 0x019f57b0 in app.exe: 0xC0000005:Access violation writing location 0xd357a29f." Seems a null pointer usage, but not sure. Hmmm, following me? Now pls help me analyse the case and if exploitable, how? Any online documentations, e-books ? Above all any experts in buff overflow exploitation? Thanks ahead, Tom
Identifying a security issue as exploitable is a bit difficult and so it requires some knowledge. As I already said if you can control a dword that is being used to write to a memory address (*dword) then you could probably exploit the issue. In determining the vulnerability, it's hard to tell without looking at the code, so you have to tell us, basically: 1- How long is the buffer? 2- Where does the overflow, if any, ocurrs, stack, heap or data section? 3- How many bytes you can overflow? 4- What are the restricted chars in your input? (See 6). 5- Which compile-time/OS protections are in place? 6- Following the data-flow of your input, it is transformed/stripped/modified somehow? That's a good starting point IMHO. Sincerely. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJlGlfH+KgkfcIQ8cRAkZvAJ9d9wFTkyAUNiIoteqPciSEOh0MbwCg3Rme L3iNLmf0rtMYnXqZNThKNJ4= =CQC5 -----END PGP SIGNATURE-----
Current thread:
- can this overflow lead to exploitation? pen-test (Feb 10)
- Re: can this overflow lead to exploitation? shellcoder1 (Feb 11)
- Message not available
- Re: can this overflow lead to exploitation? pen-test (Feb 11)
- Re: can this overflow lead to exploitation? ArcSighter Elite (Feb 12)
- Re: can this overflow lead to exploitation? Sanjay R (Feb 18)
- Message not available
- Re: can this overflow lead to exploitation? shellcoder1 (Feb 11)