OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: August 28, 2007 17:03 CDT by xeon .

Hi,
reversing a web server, I've seen that all piece of information in the client request get strlen()+memcpy() to appositely allocated heap buffers.
I would like to know if you know some trick to fool strlen(), reporting less or more characters than what there are really, in which way I could try to trigger an heap overflow.
Thanks!

jms		August 29, 2007 00:35.07 CDT
Well, you can't really fool strlen(), but let's say that the web server did a calculation on Content-Length: and then used that in an inline memcpy then setting the Content-Length: header to some values like 0xff, etc. could produce an integer overflow which then would create some heap/stack problems later on. Any other details you might be able to provide that I could help you with?

jms		August 29, 2007 00:35.49 CDT
Oh and some other interesting headers that usually cause size calculations to be done is the range request headers, look up the RFC and take a peek at it.

xeon		August 29, 2007 06:53.28 CDT
Thank you jms for the advice, but I've already tried that-giving strange values to Content-Length header-without luck. The value of the header get converted to an integer through a strtol(), and is checked if lesser than 0. Later, if the page requested is a script to be executed, this integer is snprintf()'ed to a buffer. :/ Also, Content-range doesn't appear to be honored. Other ideas welcome :)

jms		August 29, 2007 07:36.29 CDT
Well the Content-Range header is what the server returns to you, as well it should have the status code of 206 and not 200 (that is if it's RFC compliant). What you are looking for is the Range: header which allows you to specify the range of bytes you would like to request from the HTTP resource: Range: bytes=10-11 Will grab bytes 10 and 11, this can be played with. As well if the integer is copied around to a buffer, I would do some more RE work to see what that integer eventually gets used for, you might find some goodies in there.

weiss		September 6, 2007 06:22.26 CDT
sometimes you can check for signed/unsigned conditions. look at JG/JL/JGE/JLE ..etc these are signed checks, which can sometimes lead to buffer overflows. compile C code, and look at the assembly when working with signed/unsigned data types, you'll notice different opcodes used. you can see difference with IMUL/MUL for signed/unsigned values too..you get the picture.

jms		September 6, 2007 17:47.02 CDT
Yeah exactly, so a simple exercise in this is to set a breakpoint on the recv functions (ws2_32.recv,ws2_32.WSARecv, wsock32.recv), and send a unique string in the areas where you are looking for length computations. If you are seeing a cmp reg,your_input and then a JG then you may have a shot at an integer overflow. Whatever byte is being used as the length comparison you can set it to 0xff which will get wrapped and treated as a very large number. There are other cases where you pass in a huge number that gets added to, which ends up in an overflow and you get a truncated length. Now when the truncated length gets processed by malloc (this is assuming some really bad development practice) you will end up malloc'ing a very small buffer and hopfully later on you are going to see a strncpy() or something along those lines trying to copy into that tiny buffer. All kinds of neat integer/arithmetic problems :)

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit