16704
Core was generated by './bad_httpd'.
Program terminated with signal 11, Segmentation fault.
#0 0x006c6d74 in ?? ()
This tells you that the web server terminated because of a memory access violation and
that execution halted at location 0x006c6d74, which is not a typical program address. In
fact, with a little imagination, you realize that it is not an address at all, but the string
???tml???. It appears that the last 4 bytes of the filename buffer have been loaded into eip,
causing a segfault. Since you can control the content of the URL, you can likely control
the content of eip as well, and you have found an exploitable problem.
Note that this fuzzer does exactly one thing: it submits a single long filename to aweb
server. A more interesting fuzzer might throw additional types of input at the target web
server, such as directory traversal strings. Any thoughts of building a more sophisticated
fuzzer from this example must take into account a variety of factors, such as:
??? What additional static content is required to make new requests appear to be
valid? What if you wanted to fuzz particular HTTP request header fields, for
example?
??? Additional checks imposed on the recv operation to allow graceful failure of
recv operations that time out.
Pages:
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633