[Dailydave] Ferret

[Robert Wesley McGrew]

On 3/6/07, Phrack Senate Omniscient <phracksenate at gmail.com> wrote:

> Ferret-1/Ferret/http.c:
> void process_simple_http(struct Seaper *seap, struct NetFrame *frame,
> const unsigned char *px, unsigned length) {
>         char method[16];
>         ...
>         x=0;
>         while (i<length && !isspace(px[i])) {
>                 if (x < sizeof(method) -1) {
>                         method[x++] = (char)toupper(px[i++]);
>                         method[x] = '\0';
>                 }
>         }
>
> ur code getting owned in less than 60 seconds: priceless

Not that this isn't bad (it is), but to get here, it has to pass this
check in tcp.c:

171     if (smellslike_httprequest(px, length))
172             process_simple_http(seap, frame, px, length);

It turns out the bounds-checking for this is actually done up in
smellslike_httprequest :

43      for (i=0; i<length && isspace(data[i]); i++)
44              ;
45      method = i;
46      while (i<length && !isspace(data[i]))
47              i++;
48      if (i>10)
49              return 0;

I would agree that process_simple_http should carry its own
bounds-checking with it though.  It would turn out badly if someone
tinkering decided to use that function without the corresponding
smellslike.

> knowing that ur code prolly has a dozen other elementary errors
> resulting in memory corruption: just fucking embarassing

This is probably still true.

> Some at Black Hat called it "serious fucking business".

Maybe I should actually build this thing and play with it :P

--
Robert Wesley McGrew
http://mcgrewsecurity.com