[3890] in bugtraq
Re: Buffer overflow in the query cgi.
daemon@ATHENA.MIT.EDU (Thomas H. Ptacek)
Sun Jan 5 03:28:48 1997
Date: Sun, 5 Jan 1997 01:34:45 -0600
Reply-To: tqbf@enteract.com
From: "Thomas H. Ptacek" <tqbf@enteract.com>
X-To: apropos@sover.net
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <v03007800aef4968db6a8@[204.71.18.166]> from "Apropos of Nothing"
at Jan 4, 97 11:29:00 pm
> typedef struct {
> char name[128];
...
> main(int argc, char *argv[]) {
> entry entries[10000];
...
> getword(entries[x].val,cl,'&');
> else can exploit this. It should be pretty easy since all you have to do
> is supply 128 bytes, then enough code to get up to the stack and overwrite
> it, all in the query string.
Heh. You'll need to supply considerably more than 128 bytes - you'll need
to supply at least ((128 * 2) * 10000) - ((128 * 2) * ENTRIESUSED) bytes.
entries[10000] is an array of structures allocated on the stack in
main()'s stack frame. Each of those structures contains two 128 byte
arrays. Enjoy.
Also, overflows onto main()'s stack frame can complicate things in some
architectures, especially on Suns (register windows, double return past
crt0), and especially when (as is usually the case) the application
exit()'s rather than returning back into crt0. The conventional
overwrite-the-activation-record trick might not be the best way to
approach the problem in these cases.
----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
----------------
exit(main(kfp->kargc, argv, environ));
