Re: can this overflow lead to exploitation?

[Sanjay R <2sanjayr () gmail com>]

Hi..
Adding to points, mentioned by ArcSighter, can you please run your
application with Ollydbg and see where is the problem i.e. overflow?
you can, if required, post the findings in this list to help others
understanding the flow.

-sanjay

On Thu, Feb 12, 2009 at 11:54 PM, ArcSighter Elite <arcsighter () gmail com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> pen-test wrote:
> > Just doubt, when the url is above 1 MB the app crashes and dump the
> > memory, if a byte less, then no prob.Just Invalid url from
> > application.
> > But i cant see my 1024 bytes of "aaaaa" any where in stack nor app
> > memory and also none of the regs are affected by this loooong url,
> > what am i missing here?
> >
> > On Wed, Feb 11, 2009 at 3:46 AM, shellcoder1 <shellcoder1 () gmail com> wrote:
> > > can you control any register ?
> > > how did you know this is a buffer overflow?
> > > what did you see when you load it in a debugger?
> > >
> > >
> > > I suggest reading about the subject first before going on.
> > >
> > > pen-test wrote:
> > > > Hi all,
> > > >
> > > > Just need some help exploiting a doubtd buffer overflow, Well, the
> > > > scenario is, i found a cute little app of my friend, vulnerable to overflow(?).
> > > > But i can't say at this time whthr itz exploitable or not. Thatz why i
> > > > need help,
> > > >
> > > > Ok, what you do when u doubt thrz a chance of exploitation, if an app
> > > > get crashed, when given an arbitrary long URL/filename?
> > > >
> > > > In my case the app crashed with a MessageBox from the exception
> > > > handler that the "app terminated unexpectdly" and giving a dmp, I just
> > > > ran the mem dump thru VS 2005 and got "an Unhandled exception at
> > > > 0x019f57b0 in app.exe: 0xC0000005:Access violation writing location
> > > > 0xd357a29f." Seems a null pointer usage, but not sure.
> > > >
> > > > Hmmm, following me?
> > > >
> > > > Now pls help me analyse the case and if exploitable, how? Any online
> > > > documentations, e-books ? Above all any experts in buff overflow
> > > > exploitation?
> > > >
> > > > Thanks ahead,
> > > >
> > > > Tom
>
> Identifying a security issue as exploitable is a bit difficult and so it
>  requires some knowledge.
> As I already said if you can control a dword that is being used to write
> to a memory address (*dword) then you could probably exploit the issue.
> In determining the vulnerability, it's hard to tell without looking at
> the code, so you have to tell us, basically:
> 1- How long is the buffer?
> 2- Where does the overflow, if any, ocurrs, stack, heap or data section?
> 3- How many bytes you can overflow?
> 4- What are the restricted chars in your input? (See 6).
> 5- Which compile-time/OS protections are in place?
> 6- Following the data-flow of your input, it is
> transformed/stripped/modified somehow?
>
> That's a good starting point IMHO.
>
> Sincerely.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFJlGlfH+KgkfcIQ8cRAkZvAJ9d9wFTkyAUNiIoteqPciSEOh0MbwCg3Rme
> L3iNLmf0rtMYnXqZNThKNJ4=
> =CQC5
> -----END PGP SIGNATURE-----



-- 
Computer Security Learner