Professional Documents
Culture Documents
HalVar Flake
HalVar Flake
Cons:
HalVar Flake
Cons:
HalVar Flake
Cons:
HalVar Flake
HalVar Flake
Application
Code
strcpy ( ) - Code
sprintf ( ) - Code
strcat ( ) - Code
Dynamic
Linkage Table
Executable Image
HalVar Flake
...
Dynamic Library
Application
Code
strcpy( ) - Code
strcat( ) - Code
....
Executable Image
HalVar Flake
HalVar Flake
4
eax, unkn_40D278
eax
eax, [ebp+var_458]
eax
_memcpy
HalVar Flake
HalVar Flake
HalVar Flake
HalVar Flake
HalVar Flake
HalVar Flake
HalVar Flake
HalVar Flake
HalVar Flake
static GetStackCorr(lpCall)
{
while((GetMnem(lpCall) != "add")&&(GetOpnd(lpCall, 0) != "esp"))
lpCall = Rfirst(lpCall);
return(xtol(GetOpnd(lpCall, 1)));
}
HalVar Flake
HalVar Flake
static GetArg(lpCall, n)
Trace back until the
{
auto TempReg;
n-th push is found
while(n > 0)
{
lpCall = RfirstB(lpCall);
if(GetMnem(lpCall) == "push")
n = n-1;
}
Is the pushed operand
if(GetOpType(lpCall, 0) == 1)
a register ?
{
TempReg = GetOpnd(lpCall, 0);
Find where the
lpCall = RfirstB(lpCall);
register was last
while(GetOpnd(lpCall, 0) != TempReg)
lpCall = RfirstB(lpCall);
accessed ...
return(GetOpnd(lpCall, 1));
}
... and return the value
else return(GetOpnd(lpCall, 0));
which was pushed ...
}
HalVar Flake
static AuditSprintf(lpCall)
{
auto fString, fStrAddr, buffTarget;
static main()
{
auto FuncAddr, xref;
FuncAddr = AskAddr(-1, "Enter address:");
xref = Rfirst(FuncAddr);
Ask auditor to enter the
while(xref != -1)
address of the sprintf( )
{
if(GetMnem(xref) == "call")
AuditSprintf(xref);
Call the auditing function
xref = Rnext(FuncAddr, xref);
once for each call to sprintf( )
}
xref = DfirstB(FuncAddr);
while(xref != -1)
{
if(GetMnem(xref) == "call")
AuditSprintf(xref);
Repeat for all indirect calls
xref = DnextB(FuncAddr, xref);
}
}
HalVar Flake
HalVar Flake
Happy End
Why doesnt the webserver respond any more ?
HalVar Flake