Re: vulnerabilities in this code chunk

[bluepass () gmail com]

It is vulnerable to heap overflows.

An unsigned int and an unsigned long have the same size (4 bytes), as well as the same range (0 to 4294967295). The 
function 'copy_data()' takes 'data_len' as an unsigned int. The function 'memcpy()' takes its parameter as a 'size_t' 
which is nothing but an unsigned long.

If we send 'data_len' as 0xFFFFFFF8, when the 8 is added inside 'malloc()' it will become 0x100000000, and 1 being an 
overflow it will be dropped. Note that this overflow is not the same as the heap overflow. This will cause 'malloc()' 
to allocate no space, however it will return an address.

When the data will be added to it with 'memcpy()' it will cause a heap overflow. With a good shellcode as 'data' and 
knowing that its address will be buf+8, you can execute arbitrary code.


- BluePass