1

I was debugging a program, and discovered a line of code like so:

memcpy(stack_variable, attacker_supplied, read_length_from_packet(pPacket));

The read_length_from_packet returns -1 if the length is bigger than 0x1FF, but seems they forgot to actually check for -1.

And since memcpy takes a size_t (unsigned), the -1 gets converted to 0xFFFFFFFF, and I can massively override the stack, so much it writes on memory it shouldn't, raises an exception, and crashes.

Is there a way to make an exploit out of this, or it'll just stay in a crash?

rev
  • 1,293
  • 12
  • 22
  • Unix or Windows? In Windows, maybe, see the answer of @0x41414141. In Unix, no, there is nothing like SEH handlers, it will stay as a crash. – joxeankoret Feb 22 '15 at 11:42

1 Answers1

1

Well, it's a simple buffer overflow, so probably yes, depending on what mitigations are available on the software/system you are targeting.

What you need to do is to overwrite something useful like:

  • return address stored on the stack.
  • SE handler address stored on the stack.
  • anything that lets you control the execution flow of the program.
Smi
  • 136
  • 1
  • 2
  • 9
0x41414141
  • 11
  • 1
  • so if I put my handler's address in the payload, memcpy copies it, and then raises an exception, I can catch it? – rev Feb 22 '15 at 15:22