Penetration Testing mailing list archives
Re: can this overflow lead to exploitation?
From: Sanjay R <2sanjayr () gmail com>
Date: Sun, 15 Feb 2009 11:50:11 +0530
Hi.. Adding to points, mentioned by ArcSighter, can you please run your application with Ollydbg and see where is the problem i.e. overflow? you can, if required, post the findings in this list to help others understanding the flow. -sanjay On Thu, Feb 12, 2009 at 11:54 PM, ArcSighter Elite <arcsighter () gmail com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 pen-test wrote:Just doubt, when the url is above 1 MB the app crashes and dump the memory, if a byte less, then no prob.Just Invalid url from application. But i cant see my 1024 bytes of "aaaaa" any where in stack nor app memory and also none of the regs are affected by this loooong url, what am i missing here? On Wed, Feb 11, 2009 at 3:46 AM, shellcoder1 <shellcoder1 () gmail com> wrote:can you control any register ? how did you know this is a buffer overflow? what did you see when you load it in a debugger? I suggest reading about the subject first before going on. pen-test wrote:Hi all, Just need some help exploiting a doubtd buffer overflow, Well, the scenario is, i found a cute little app of my friend, vulnerable to overflow(?). But i can't say at this time whthr itz exploitable or not. Thatz why i need help, Ok, what you do when u doubt thrz a chance of exploitation, if an app get crashed, when given an arbitrary long URL/filename? In my case the app crashed with a MessageBox from the exception handler that the "app terminated unexpectdly" and giving a dmp, I just ran the mem dump thru VS 2005 and got "an Unhandled exception at 0x019f57b0 in app.exe: 0xC0000005:Access violation writing location 0xd357a29f." Seems a null pointer usage, but not sure. Hmmm, following me? Now pls help me analyse the case and if exploitable, how? Any online documentations, e-books ? Above all any experts in buff overflow exploitation? Thanks ahead, TomIdentifying a security issue as exploitable is a bit difficult and so it requires some knowledge. As I already said if you can control a dword that is being used to write to a memory address (*dword) then you could probably exploit the issue. In determining the vulnerability, it's hard to tell without looking at the code, so you have to tell us, basically: 1- How long is the buffer? 2- Where does the overflow, if any, ocurrs, stack, heap or data section? 3- How many bytes you can overflow? 4- What are the restricted chars in your input? (See 6). 5- Which compile-time/OS protections are in place? 6- Following the data-flow of your input, it is transformed/stripped/modified somehow? That's a good starting point IMHO. Sincerely. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJlGlfH+KgkfcIQ8cRAkZvAJ9d9wFTkyAUNiIoteqPciSEOh0MbwCg3Rme L3iNLmf0rtMYnXqZNThKNJ4= =CQC5 -----END PGP SIGNATURE-----
-- Computer Security Learner
Current thread:
- can this overflow lead to exploitation? pen-test (Feb 10)
- Re: can this overflow lead to exploitation? shellcoder1 (Feb 11)
- Message not available
- Re: can this overflow lead to exploitation? pen-test (Feb 11)
- Re: can this overflow lead to exploitation? ArcSighter Elite (Feb 12)
- Re: can this overflow lead to exploitation? Sanjay R (Feb 18)
- Message not available
- Re: can this overflow lead to exploitation? shellcoder1 (Feb 11)