Vulnerability Development mailing list archives
Re: Stack Interpretation and Manipulation
From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Mon, 11 Sep 2000 21:34:24 +0200
I would like to better understand these vulnerabilities that may exist in my programs so i can avoid making them in the future. Are there any online resources avalible to show begining programmers how to interprete stack dumps, so that we can avoid creating them in the future?
With coredumps (a far more sophisticated debugging tool than common stackdumps as presented by e.g. windows at pagefaults) there are very powerfull debugging tools, such as applying gdb on the coredump. I'm no expert on gdb... With a bit of commercialism, www.11a.nu has a page about overflows which is aimed at beginners who don't yet understand what it is, have a look at it. If someone has a good tutorial on how to examin coredumps I'd love to add it to our site :) Well, back to the subject! If you as an example manages to crash some windows application with some totally random string, such "A" x 2000, you'll probably get some box telling you the values of the registers. If EIP goes 41414141, or 61616161 (the "A"'s got lowercased), the application is easily exploitable to an buffert overflow. If that's not the case, you need a very through understanding of how the applications works in order to make any exploitable out of this - many researcher chose to drop it here and list it as "Vulnerable but no working exploit produced". How you avoid this specific vulnerability? 1. don't use c or c++. Bug-prone languages which the avarage programmer commonly make implementations faults in which will pass syntax checks (ie: other languages wouldn't allow the code to compile without modifications) 2. If you do use c or c++, be carefull with str*, *printf, popen, etc. 3. Actually have a good, secure design :-) Theoreticly, that above solves everything. Only the problem is we like C, it allows you to code fast and careless, so we use it even if we know it is dangerous. And since we're also human, we forget to check some of the known dangerous routines. And since we're lazy, many softwares are never really designed - we build a prototype and keep it, eh? :) ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Stack Interpretation and Manipulation Mindy Kimble (Sep 12)
- Re: Stack Interpretation and Manipulation Robert van der Meulen (Sep 12)
- Re: Stack Interpretation and Manipulation antirez (Sep 12)
- Re: Stack Interpretation and Manipulation Bluefish (P.Magnusson) (Sep 12)
- <Possible follow-ups>
- Re: Stack Interpretation and Manipulation Robert G. Ferrell (Sep 12)