Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-05-02 06:46:07 -04:00
Code Issues Projects Releases Packages Wiki Activity

MANY

Browse source
This commit is contained in:
bt3gl 2014-11-20 13:48:39 -05:00
parent 943728662f
commit d8c1966631
3 changed files with 77 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

52
Memory_Exploits/README.md
View file

@ -99,7 +99,7 @@ mbstowcs(buf1, string1, sizeof(buf1)-1);
----
## Data Type Bugs
## Data Type Signedness
* Primitive data types (32 bit):
- signed char/unsigned char
@ -110,7 +110,24 @@ mbstowcs(buf1, string1, sizeof(buf1)-1);
- size_t (unsigned)
- size_t (signed)
* Integer overflow: Exceeding the amount of data in integer will result in **wrapping**. In the example below, x will be 0:
* By default all data types are signed unless specifically declared otherwise.
* Many functions which accept size arguments take unsigned values.
* char y=-1 has the same bit representation than unsigned char x=255.
* A large value in the unsigned type (highest bit set) is a negative value in the signed type.
* Function **read()** takes only unsigned values for lenght. So if this value is negative, from a if comparison, it will overflow.
* For example, if lenght is **-1** (which is 0xFFFFFFF), when the length check is performed, it is asking if -1 is less than a MAXNUMBER. Then, when the lenght is passed to read, it is converted to unsigned and becomes the unsigned equivalent of -1 (which for 32 bits is 42949672965).
---
## Integer overflow
* Exceeding the amount of data in integer will result in **wrapping**. In the example below, x will be 0:
```
x = 255;
@ -153,9 +170,38 @@ int getData(int sock)
```
### Auding Tips
------------------
## Metacharacter Injection
* In shell: quotes and semi-collon are metacharacters.
* Example, a command to unzip some input file could lead to a second executable command if the input has a **;**:
```
void extractUserZip(char *userFile)
{
char command[1024];
snprintf(command, 1023, "unzip %s", userFile);
system(command);
return;
}
```
----
## Auding Tips
* grep for malloc() and other memory allocation functions.
* look at the data types for size calculation.
* look at values used for size checks: are they signed?
* what happens if negative values are provided.
* look for eval functions such as **system()**.
---------------------------