Re[2]: memcpy with negative length and destination on heap - exploitable?
From: 3APA3A (3APA3A@SECURITY.NNOV.RU)Date: 12/26/01
- Previous message: dullien@gmx.de: "Re: memcpy with negative length and destination on heap - exploitable?"
- In reply to: dullien@gmx.de: "Re: memcpy with negative length and destination on heap - exploitable?"
- Next in thread: Pavel Kankovsky: "Re: memcpy with negative length and destination on heap - exploitable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Dec 2001 22:02:18 +0300 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> To: dullien@gmx.de
Hello dullien,
--Wednesday, December 26, 2001, 6:13:30 PM, you wrote to 3APA3A@SECURITY.NNOV.RU:
3>> memcpy(dst, src + POSITION + 1, len); len is too long then
3>> converted to size_t and memcpy will crash... Is it possible to
3>> avoid it if destination buffer is on heap? Program is available
3>> on all possible platforms :)
dgd> If it happens on the stack (under NT), you might be able to
dgd> overwrite SEH structures before segfaulting and thus gain control.
If it happens on the stack it may be possible to overwrite 'len'
argument with any desired value. If memcpy() doesn't use register copy
of len (for example one from libuucp) it makes it possible to exploit
it.
-- ~/ZARAZA Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них поверили. (Твен)
- Previous message: dullien@gmx.de: "Re: memcpy with negative length and destination on heap - exploitable?"
- In reply to: dullien@gmx.de: "Re: memcpy with negative length and destination on heap - exploitable?"
- Next in thread: Pavel Kankovsky: "Re: memcpy with negative length and destination on heap - exploitable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
