The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


QW server hole


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Wed, 08 Apr 1998 15:10:27 +0600 (ESD)
Date: Wed, 8 Apr 1998 06:30:26 +0100
From: Chris Evans <[email protected]>
To: [email protected]
Subject: Re: QW server hole

Hi,

I've looked into the recently reported QuakeWorld server hole for
"exploitability" other than DoS.

It seems the smashed buffer is a static one rather than one on the stack;
when we use a very large string full of 'A' to fill the buffer with, we
don't get a crash due to execution at address 0x41414141.

Indeed instead we find we have trashed some structures with pointers in.
The eventual crash is due to a defererence of 0x10+(0x41414141), in the
function "Z_CheckHeap()".

The actual structure corrupted is called "mainzone", and the actual buffer
smashed is called "com_token" and appears to be exactly 1024 bytes long.

If, as you say, an ID Software employee has ignored your reports of this
bug, then that is _very_ poor.

Cheers
Chris

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру