Re: vulnerabilities in this code chunk
- From: bluepass@xxxxxxxxx
- Date: 28 Jul 2007 00:18:47 -0000
It is vulnerable to heap overflows.
An unsigned int and an unsigned long have the same size (4 bytes), as well as the same range (0 to 4294967295). The function 'copy_data()' takes 'data_len' as an unsigned int. The function 'memcpy()' takes its parameter as a 'size_t' which is nothing but an unsigned long.
If we send 'data_len' as 0xFFFFFFF8, when the 8 is added inside 'malloc()' it will become 0x100000000, and 1 being an overflow it will be dropped. Note that this overflow is not the same as the heap overflow. This will cause 'malloc()' to allocate no space, however it will return an address.
When the data will be added to it with 'memcpy()' it will cause a heap overflow. With a good shellcode as 'data' and knowing that its address will be buf+8, you can execute arbitrary code.