When a PRIVMSG arrives, the vulnerable function is called to copy the nickname to a buffer:
let's see the pseudocode of the call: (dest, bytes to copy, src)
Let's see the vulnerable memory zero fill:
ESI is the "bytes to copy", we dont jump becouse is greatter than 10, and then ...
the first rep start to copy 0x00 at [edi++] ecx times (309 times) then we write in other vars and out of the page.
Explotation vector: the nick, well, you must be the server becouse servers dont allow large nicknames. (a privmsg with a 315 bytes nick -> DoS)
let's see the pseudocode of the call: (dest, bytes to copy, src)
Let's see the vulnerable memory zero fill:
ESI is the "bytes to copy", we dont jump becouse is greatter than 10, and then ...
the first rep start to copy 0x00 at [edi++] ecx times (309 times) then we write in other vars and out of the page.
Explotation vector: the nick, well, you must be the server becouse servers dont allow large nicknames. (a privmsg with a 315 bytes nick -> DoS)
Comentarios