.If your new to vulnerability hunting you may want to look at this one as its pretty simple to spot. Writing an exploit for it though, is not as easy as it seems because of the stack layout (you overwrite 'len' and 'i') :)
The vulnerable function, BoGetDirection() is in spp_bo.c. The bad code is here:
// pkt_data => pointer to data after magic cookie
// len => is a 32 bit int taken from the BO Header, with no checking.
// BoRand => returns a 'random' number
static int BoGetDirection(Packet *p, char *pkt_data)
{
u_int32_t len = 0;
u_int32_t id = 0;
u_int32_t l, i;
char type;
char buf1[1024];
char buf2[1024];
char *buf_ptr;
char plaintext;
...
/* Decrypt data */
while ( i < len )
{
plaintext = (char) (*pkt_data ^ (BoRand()%256));
*buf_ptr = plaintext;
i++;
pkt_data++;
buf_ptr++;
if ( plaintext == 0 )
buf_ptr = buf2;
}
...
/gerry
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}