Hey all,

As a hobbyist programmer, this isn't a major issue for me, but still something I hold a great interest in.

When looking through code that has been classed as vulnerable, I've been trying to see what actually makes it vulnerable. A few times, I could see why. For example, an Apache exploit in which a URL with more than the expected parameters caused Apache to write beyond the array it stored the data in, into the executable memory space.

However, most of the time, I find it difficult to see these exploits.

So, basically, I'm asking for tips on spotting exploits in code.

Thanks very much :)

;80795']Hey all,

As a hobbyist programmer, this isn't a major issue for me, but still something I hold a great interest in.

When looking through code that has been classed as vulnerable, I've been trying to see what actually makes it vulnerable. A few times, I could see why. For example, an Apache exploit in which a URL with more than the expected parameters caused Apache to write beyond the array it stored the data in, into the executable memory space.

However, most of the time, I find it difficult to see these exploits.

So, basically, I'm asking for tips on spotting exploits in code.

Thanks very much :)

http://www.maths.leeds.ac.uk/~read/bofs.html
http://web.textfiles.com/hacking/buffer.txt

As a start.

Hallo!

Interesting topic. I guess noting beats a good brain and a manuel check
however maby you wood like to run some tools on the source first.
I just googel a few hoping you can do some testing and report back too
us if any of this tools where good. This tool are for C++, C cod is that
what you are looking for?

Flawfinder
RATS
ITS4
Splint
cqual

Testers programs
BFBTester
Spike
fuzz

This tool are for C++, C cod is that
what you are looking for?



Sorry, should have said. Personally, I program in PASCAL, which is closer to C++ than C, but since most web apps - at least, open source ones - are coded in C, I'm happy to expend a little effort learning that too.

http://www.maths.leeds.ac.uk/~read/bofs.html
http://web.textfiles.com/hacking/buffer.txt

As a start.

Thanks, but I understand the concept of a buffer overflow, if you have any texts on tips on to spot them; that would be brilliant.


Thanks very much to both of you.

;80805']Sorry, should have said. Personally, I program in PASCAL, which is closer to C++ than C, but since most web apps - at least, open source ones - are coded in C, I'm happy to expend a little effort learning that too.I'm not sure what makes you think most web apps are C, but from my experience you're looking more at: Java (incl JSP/Servlet/EJB), PHP, MS whatever.NET (usually VB :( ). With a high likelihood of some Ruby, PHP, Python, or Perl doing small pieces in the backend (comms with other systems etc). Plus SQL for DB integration. [Or did you mean App Server/Infrastructure apps?]

PMD (http://pmd.sourceforge.net/)is an interesting source code analysis tool you might wanna look at. (http://sourceforge.net/projects/pmd/)

I'm not sure what makes you think most web apps are C, but from my experience you're looking more at: Java (incl JSP/Servlet/EJB), PHP, MS whatever.NET (usually VB :( ). With a high likelihood of some Ruby, PHP, Python, or Perl doing small pieces in the backend (comms with other systems etc). Plus SQL for DB integration. [Or did you mean App Server/Infrastructure apps?]

PMD (http://pmd.sourceforge.net/)is an interesting source code analysis tool you might wanna look at. (http://sourceforge.net/projects/pmd/)

Yeah, sorry again :p

I meant server apps.

I need to sleep more :D

Sorry I don't have the greatest in experience in pascal, I have briefly studied delphi. From everything I've read and it makes sense... no program can replace human knowledge in identifying possible overflows. There's probably a good book somewhere that explains how to write safer code in almost every language. It is going to require a deeper understanding of what commands do bounds checking and which do not. Also it doesn't hurt to have someone else look over the code. They might be able to point out possible overflows you have overlooked.

Next I might suggest learning how to fuzz. Doing a few quick fuzz tests on your program should determine weaknesses in your program's code and should allow you to examine and identify possible security threats.

Also maybe a google search on some pascal commands that lead to vulnerabilities might be a good idea. I know I remember seeing a good page on C++ recently but that doesn't completely apply to you.

I'am new in this area but try to write a exploit then look at the asm, then run a debugger on the program to exploit and see if you can get a match.

Any way if its in the OS like SMB try modeifing this script(fuzzy)
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock.h>



int main(int argc, char *argv[])
{
struct sockaddr_in their_addr;
WSADATA wsa;
struct hostent *he;
int len, sockfd;
int c=0,cha=0,c1=0,char1=0,c2=0,char2=0,count=0,max=0, max1=0;
char storebuf[2100],store[5];


char recvbuf[2100],sendbuf[2100];

WSAStartup(MAKEWORD(2,0),&wsa);
he=gethostbyname(argv[1]);
sockfd = socket(AF_INET, SOCK_STREAM, 0);

their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(445);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);

connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr));

do
{
sendbuf[c] = cha;
cha++;
c++;
}
while(c < 500);
c=0;
cha=0;




do
{
if(count <= 500) {
send(sockfd,&sendbuf[count],5, 0);
len = recv(sockfd, recvbuf,1, 0);
//if(storebuf != recvbuf) {
printf("%s\n",recvbuf);
//}
}
if(count <= 1000) {
store[0] = sendbuf[count-500];
store[1] = sendbuf[count-499];

send(sockfd,store,5, 0);
len = recv(sockfd, recvbuf,1, 0);
//if(storebuf != recvbuf) {
printf("%s\n",recvbuf);
//}
}
c=0;
do
{
storebuf[c] = recvbuf[c];

c++;
}
while(c < 5);
count++;
}
while(count < 50000);
return 0;
}