Archive : 1999 : october : alibaba - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku

Possibly exploitable overflow in Alibaba 2.0




=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Чт, 28 окт 1999  18:57:43

   От: Thomas Dullien <dullien@GMX.DE>

 Кому: VULN-DEV@SECURITYFOCUS.COM

 Тема: Possibly exploitable overflow in Alibaba 2.0

--------------------------------------------------------------------------------




Hello all together,



Tried a little freeware webserver named Alibaba 2.0 today

and found an exploitable overflow. I telnetted to 127.0.0.1:80

and crashed it using

POST [enter 1028 'x'] / HTTP/1.0



>From a disassembled listing I found that it uses a



scanf("%s %s %s", szName, szFile, szSomething);



where szFile is a local variable of 0x400 (=1024) bytes

on the stack directly above the return address.

Coding an exploit for this is going to be a little tricky as

it mustn't have any 0x20, 0x00, 0x61-0x7A in it since

these bytes are changes by the foregoing function

that converts everything into uppercase.



I contacted the authors but they stated since its freeware

there will be no support to it :)

If someone wants to code a full exploit, go ahead :)