Results 1 to 10 of 10

Thread: Is this bug exploitable?

Hybrid View

  1. #1

    Is this bug exploitable?

    i have found a bug during my reversing and i'm not sure it is exploitable i converted the ASM to C code so it would be easier to understand:

    memcpy(*DstData, Msg->data, Msg->dataLength);

    Msg->data acctual size is only 4 bytes
    DstData is maximum size of 256 bytes

    what i can control is the Msg->dataLength
    i can set a larger value the the Msg->data size.

    the exception i get is : "..access to invalid memory.."

    is this bug can be somehow exploited via maybe Heap ?


  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    By "exploitable", I assume you mean code execution.

    Depends on whether or not you can control what's after the 4 bytes of Msg->data. Reliability also may depend on whether DstData is on the stack or heap, and if GS, NX, and ASLR are used.

    Feel free to msg me with details of the target if you'd like some help.

  3. #3
    - 4 bytes of Msg->data can be controled.
    - DstData is on the stack
    - GS is in use
    - ASLR not in use.

  4. #4
    4 bytes of Msg->data can be controled.
    well, you can exploit with even 1 byte, as long as you can overwrite the EBP pushed initially by a call with stack frame (not trivial, but possible).

    - DstData is on the stack

    - ASLR not in use.
    ASLR is only useful when your exploits hardcode directly DLL functions addresses!!!
    this technique is just a quick&dirty solution, and aslr only targets it.
    Way better: you can access always valid, IAT pointers in the main executable. ASLR never touch the main exe because 98% of exe files are with relocation symbols stripped... Also, say you exploited a system DLL: what prevents you to |&64k, MZ found? -$1000 and loop| and then just moving to interesting IAT/EAT? Well, surerly it requires a little more space, but not all that much to good assembler coders. So, a bit more asm effort to get an always reliable access to API...
    Last edited by Maximus; September 5th, 2010 at 04:52. Reason: about win...
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    ..."a shellcode is a command you do at the linux shell"...

  5. #5
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    If you have absolutely no control over the data in memory more than 4 bytes after the beginning of Msg->data then it'll be hard to do any kind of reliable code execution and you likely will just have a DoS. Is Msg->data a global buffer or is it on the heap? If the former, do you control anything in global memory after that buffer?

  6. #6
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Blog Entries
    cmon, IMHO these forums are not for exploit-builders help..
    why should we do such things anyway?
    if you are concerned about software's quality, then notify authors about bug.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts