Vulnerability Development mailing list archives
koules buffer overflows
From: kotz () FLASH NET (Robert)
Date: Fri, 21 Apr 2000 10:35:40 -0500
Before I start I feel that I should warn you that I'm not terribly experienced with BOF's and so this will be as much as a question session as it is a report of bugs. Last night I did some VERY limited searching through koules v. 1.4 (so don't think that these two cases are the only two in the code.) and I found two things that are kinda interesting. Bug 1.) In the file init.c (located in the svgalib directory of the koules source.) there is what seems to be a blatant, classic overflow. The problem is when it parses the -C command line option, it just does a blind strcpy(). Here's a snippet: client.h: extern char servername[256]; svgalib/init.c: #include <../client.h> ... case 'C': strcpy(servername, optarg); client = 1; break; Ok, so koules -C `perl -e 'print "A" x 300'` should seg fault it right? No. After just playing around with numbers, 2160 is the lowest it takes to cause a seg fault, however, I can't make it overwrite the EIP. The seg fault is obviously happening in strcpy() and gdb confirms that, but every time it seg faults, the EIP is always 0x400d331f (at least on my box.) So my questions here are why isn't this overwriting the EIP with A's? Can this be overwritten or is there something I've missed out of inexperience? Any help would be greatly appreciated. bug 2.) The next problem (or at least I think it's a problem) that I found is in the file koules.sndsrv.linux.c I haven't looked in the other *.sndsrv.* files but I would assume that something similar exists. This time, instead of a strcpy, it's a strcat but there are some interesting hurdles which make me wonder how this would be exploited. Let me show a snippet, then explain what I mean. koules.sndsrv.linux.c: void init(int argc, char **argv) { char s[1024]; ... s[0] = 0; strcat(s, argv[1]); Once again, this seems really trivial, but it's a bit more complicated. the function init is later called in the function main() of the same file (koules.sndsrv.linux.c) however, that function main is not the only main. in svgalib/init.c the function main() is the one that runs and I haven't been able to see where in the hell the OTHER main is called from, or for that matter where any of the functions of that file are called from. So as far as this one goes, I have no clue on how to make it overflow. Once again, any help would be great. -- Robert Kotz
Current thread:
- koules buffer overflows Robert (Apr 21)
- Re: koules buffer overflows typo () INFERNO TUSCULUM EDU (Apr 21)
- Re: koules buffer overflows typo () INFERNO TUSCULUM EDU (Apr 21)
- Re: koules buffer overflows typo () INFERNO TUSCULUM EDU (Apr 21)