Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

aim exploit details

From: "david evlis reign" <davidreign () hotmail com>
Date: Sat, 09 Mar 2002 04:03:18 +0000
array manipulation or a non null-terminated buffer after o_strncpy was called? 

function: o_strncpy :
       1218b4f9 8b4508 mov eax,[ebp+0x8] ss:00c :
       1218b4fc 3b450c cmp eax,[ebp+0xc] ss:00c :
       1218b4ff 7419 jz LoadRendezvousString+0x39f6 ( :
       1218b501 8a06 mov al,[esi] :
       1218b503 8807 mov [edi],al :
       1218b505 47 inc edi :
       1218b506 ff4508 inc dword ptr [ebp+0x8] ss:00c :
       1218b509 46 inc esi :
       1218b50a 43 inc ebx :
       1218b50b 8a06 mov al,[esi] :
FAULT ->1218b50d 8807 mov [edi],al :
       1218b50f 47 inc edi :
       1218b510 ff4508 inc dword ptr [ebp+0x8] ss:00c :
       1218b513 46 inc esi :
       1218b514 43 inc ebx :
       1218b515 803e00 cmp byte ptr [esi],0x0 :
       1218b518 75cf jnz LoadRendezvousString+0x3bc5 ( :
       1218b51a 8b4d0c mov ecx,[ebp+0xc] ss:00c :
       1218b51d 3bf9 cmp edi,ecx :
       1218b51f 7312 jnb OscoreUseCurrentAcceleratorTable+ :
       1218b521 2bcf sub ecx,edi :
       1218b523 33c0 xor eax,eax :
                                                                       :
Below is a portion of the asm code for the file oscar.dll :
=============================================== :
.text:1218B4E9 loc_1218B4E9: ; CODE XREF: o_strncpy+61j :
.text:1218B4E9 cmp edi, [ebp+lpsz] :
.text:1218B4EC jnb short loc_1218B533 :
.text:1218B4EE push esi ; lpsz :
.text:1218B4EF call ds:CharNextA
.text:1218B4F5 cmp eax, ebx
.text:1218B4F7 jnz short loc_1218B50B
.text:1218B4F9 mov eax, [ebp+arg_0]
.text:1218B4FC cmp eax, [ebp+lpsz]
.text:1218B4FF jz short loc_1218B51A
.text:1218B501 mov al, [esi]
.text:1218B503 mov [edi], al
.text:1218B505 inc edi
.text:1218B506 inc [ebp+arg_0]
.text:1218B509 inc esi
.text:1218B50A inc ebx
===============================================
.text:1218B50B loc_1218B50B: ; CODE XREF: o_strncpy+40j
.text:1218B50B mov al, [esi]
.text:1218B50D mov [edi], al ; <<<---HERE IS THE P
.text:1218B50F inc edi
.text:1218B510 inc [ebp+arg_0]
.text:1218B513 inc esi
.text:1218B514 inc ebx
.text:1218B515 cmp byte ptr [esi], 0
.text:1218B518 jnz short loc_1218B4E9
=================================================
.text:1218B51A loc_1218B51A: ; CODE XREF: o_s
.text:1218B51A ; o_strncpy+48j
.text:1218B51A mov ecx, [ebp+lpsz]
.text:1218B51D cmp edi, ecx
.text:1218B51F jnb short loc_1218B533
.text:1218B521 sub ecx, edi
.text:1218B523 xor eax, eax
.text:1218B525 mov edx, ecx
.text:1218B527 shr ecx, 2
.text:1218B52A repe stosd
.text:1218B52C mov ecx, edx
.text:1218B52E and ecx, 3
.text:1218B531 repe stosb
.text:1218B533
==================================================
                                                                       :
:
                                                                       :
Here is the stack variables :
=========================== :
00000000 s db 4 dup(?) :
00000004 r db 4 dup(?) :
00000008 arg_0 dd ? :
0000000C lpsz dd ? ; offset (FFFFFFFF) :
00000010 arg_8 dd ? :




_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com
Previous By Date Next
Previous By Thread Next

Current thread: