Vulnerability Development mailing list archives

Re: New bugs discovered!

From: Syzop <syz () dds nl>
Date: Mon, 19 Nov 2001 21:02:56 +0100

jnf wrote:

Am I just stupid? How does that work?

esp            0xbffff210       0xbffff210
eip            0x40071a47       0x40071a47

he didnt even overwrite the esp/eip??


That's right, the crash is because of the free() at gzip.c line 1719:
    if (env != NULL)  free(env),  env  = NULL;
it's trying to free(0x41414141) if you pass a lot of A'z.
However, free() bugs are also exploitable...
see for example the two articles (8&9) in the last phrack (#57).

    Syzop.

Current thread:

Re: New bugs discovered!, (continued)
- - - Re: New bugs discovered! Ciprian Csordas (Nov 19)
  - Re: New bugs discovered! Chris Ess (Nov 19)
    - Re: New bugs discovered! Bernhard Rosenkraenzer (Nov 19)
    - Re: New bugs discovered! Valdis . Kletnieks (Nov 19)
- Re: New bugs discovered! InterceptiX Security (Nov 19)
  - Re: New bugs discovered! Ron DuFresne (Nov 19)
- Re: New bugs discovered! Meritt James (Nov 19)
- Re: New bugs discovered! GomoR (Nov 19)
  - Re: New bugs discovered! sy4n (Nov 19)
- Re: New bugs discovered! jnf (Nov 19)
  - Re: New bugs discovered! Syzop (Nov 19)
- Re: New bugs discovered! X (Nov 19)
  - Re: New bugs discovered! Croquette Friskies (Nov 19)
- Re: New bugs discovered! The Itch (Nov 19)
  - Re: New bugs discovered! Alex Butcher (vuln-dev) (Nov 20)
- RE: New bugs discovered! dave . goldsmith (Nov 19)
- RE: New bugs discovered! DePriest, Jason R. (Nov 19)