Bugtraq mailing list archives
Re: Buffer overflow in the query cgi.
From: tqbf () ENTERACT COM (Thomas H. Ptacek)
Date: Sun, 5 Jan 1997 01:34:45 -0600
typedef struct { char name[128];
...
main(int argc, char *argv[]) { entry entries[10000];
...
getword(entries[x].val,cl,'&');
else can exploit this. It should be pretty easy since all you have to do is supply 128 bytes, then enough code to get up to the stack and overwrite it, all in the query string.
Heh. You'll need to supply considerably more than 128 bytes - you'll need to supply at least ((128 * 2) * 10000) - ((128 * 2) * ENTRIESUSED) bytes. entries[10000] is an array of structures allocated on the stack in main()'s stack frame. Each of those structures contains two 128 byte arrays. Enjoy. Also, overflows onto main()'s stack frame can complicate things in some architectures, especially on Suns (register windows, double return past crt0), and especially when (as is usually the case) the application exit()'s rather than returning back into crt0. The conventional overwrite-the-activation-record trick might not be the best way to approach the problem in these cases. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com] ---------------- exit(main(kfp->kargc, argv, environ));
Current thread:
- XDM bug Angel Ortiz (Jan 02)
- <Possible follow-ups>
- Re: XDM bug Steve \ (Jan 03)
- Re: XDM bug jamie (Jan 03)
- Re: XDM bug Alex Belits (Jan 03)
- serious security bug in wu-ftpd v2.4 Aleph One (Jan 04)
- Re: serious security bug in wu-ftpd v2.4 Wietse Venema (Jan 04)
- Buffer overflow in the query cgi. Apropos of Nothing (Jan 04)
- Re: Buffer overflow in the query cgi. Thomas H. Ptacek (Jan 04)
- Re: XDM bug jamie (Jan 03)
- Re: XDM bug Mr. ManX (Jan 03)