This time it because of some certain Germans I am really not satisfied with. I was writing about possible exploits in poorly written code (ie. if the coder was my employee he would already be sacked) in previous article.
It has been few days since I used this exploit on certain server...which has done exactly nothing to prevent it from happening again. I am confused about this because these people claim to be working on their own software, thus they should be experienced enough to prevent such failure...and in case they fail at it, they should be able to patch it. Quickly.
Consider following code (it is written in
python again) which works as a 'smart' packet buffer reader, allowing us to read 16-bit integers (words) and string of length indicated by a word. It is only excerpt, original code does much more.class reader:
def sword(self):
return struct.unpack('H', self.bytes(2))[0]
def ascii(self):
count = self.sword()
return self.bytes(count)
def bytes(self, count):
return self.buffer[self.offset:self.move(count)]
def move(self, by):
self.offset += by
return self.offsetNotice the red section. There is a mistake, target of our exploitation. The move function merely adds value (
arg: by) to current offset without checking validity of position.Consider this simple solution...which works, remarkably.
def move(self, by):
self.offset += by
if self.offset >= self.length
raise IndexError
return self.offsetThat much to securing your own code, dummies...
Update (as of 20-08-2010): As it became obvious, the emulator that was public (and crashed many times) was actually sremu (which explains the resemblance). Hopefully creators of the sunrise are not that much dummy after all. We shall see in near future.
No comments:
Post a Comment