# Disboard #
  • Reconnaissance
    • Quick Guide
    • Ports and Protocols
    • Passive Reconnaissance
    • Active Reconnaissance
  • Web
    • OWASP Top 10
    • OWASP API
    • SQL Injection
      • Microsoft SQL Injection
    • Cross Site Scripting
    • Browser Vulnerabilities
    • Steganography
    • Fuzzing
  • Linux
    • Privilege Escalation
    • Hydra
    • Password Cracking
    • Docker
    • Program Life Cycle
    • Snort
  • Windows
    • Privilege Escalation
    • Active Directory
    • Powershell
  • Exploitation
    • Shells
      • Upgrading Shells
    • Metasploit
      • Meterpreter
    • KOTH
    • Source Code Review
  • Hack the Box
    • ARCHETYPE
    • BASE
    • BASHED
    • EXPLORE
    • NIBBLES
  • Try Hack Me
    • ADVENTURE TIME
    • HACKFINITY
    • MOTHER'S SECRET
    • OFFSEC
    • POSTEXPLOIT
    • ROASTED
    • TEMPEST
    • TRAVERSE
  • CompTIA
    • Network
      • 1.0 Networking Fundamentals
      • 2.0 Network Implementations
      • 3.0 Network Operations
      • 4.0 Network Security
      • 5.0 Network Troubleshooting
    • PenTest
  • SIEM
    • Splunk
    • Elastic
  • Wireless
    • Wi-Fi Hacking
  • Other
    • PicoCTF
    • SSH Tunneling
    • Life Hacks
    • My Pokémon API
    • Github
Powered by GitBook
On this page
  • [C] Check Again
  • Initial Thoughts
  • Further Analysis
  • [Rust] Beyond the Grave
  • Initial Thoughts
  • Further Analysis
  1. Exploitation

Source Code Review

Finding exploits in C code and sometimes other programming languages!

PreviousKOTHNextARCHETYPE

Last updated 7 months ago

[C] Check Again

Initial Thoughts

The size of the header structure is most likely 8, so the first if statement check if length > 1024+8-1 or length > 1031. I see that the buffer is of size 1024. During the second read_sock function call, it calls to buffer with length-8, this may lead to an overflow issue since only the upper bound of length was checked.

Further Analysis

The function get_data in theory takes in a socket and parses data into a buffer. The key vulnerability is on line 19:

if(read_sock(sock, buffer, length-sizeof(struct header)) <= 0) {

If the length variable is smaller than the header size, this will cause an overflow. For example, assume that the first message read the string "hello". The first read_sock would have read the message of length 5 and stored a header structure with length 5. This would have passed the comparison because length = 5 < 1031 but when it get's to the second read_sock function, it would call read_sock(sock, buffer, 5-8=-3). The -3 would wrap around to INT_MAX and allow the user to write much more than 1024 characters to the buffer.

[Rust] Beyond the Grave

Initial Thoughts

This is a piece of a rust code. It seems like it's declaring a public function called sign which creates a variable p that gets assigned two values, (1) being BioSlice data which is a pointer, and (2) which is a NULL pointer. There's a line that starts with unsafe, where it sets a variable named cms to cvt_p(CMS_sign(p)) which I'm guessing is a signature of the previous set data.

Further Analysis

This is a rust specific issue that has to do with rust object lifetimes. Within each curly brace set, a lifetime exists. When it goes out of scope, any variable defined within that lifetime gets freed. The first function actually sets the variable p to data if there is a return, else None if the pointer in NULL. The problem happens in the following line of code.

let cms = cvt_p(CMS_sign(p));

Here, p is going to get the value of the BioSlice that is newly created in that match statement. That data will get freed after leaving scope. The unsafe procedure let's you still access the p data without throwing an error from the compiler.