Re: VBscript Bufferoverflow, code - tools
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 25 Jun 2007 20:05:01 -0500
That statement should never overflow. The variable "part" is passed to the
method as strContent(64), which is a variant array. Each element of the
array is a string which can be of any length. There would be a "subscript
out of range" error if i in part(i) ever exceeded 64, but I don't see where
i ever exceeds 0.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
"Elias" <Elias@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:41641D39-1C0C-4759-8546-3DDE572B571D@xxxxxxxxxxxxxxxx
Hello Richard,
I wish I had a better answer for you, but as a Web Master I'm deploying
someone else's code which I think has an issue. This is not my code and as
you say, I'm wondering myself.
However the result, I think the buffer overflow was in this line;
part(0) = part(0) & newString
Given the concatenation into an array element with no bounds checkin for
what is added, wouldn't this be susceptible to a buffer overflow?
Given the command line VB tools in wscript/cscript I'm not sure what
result
I should even expect that would give conclusive and positive confirmation
of
a buffer overflow if I were to test passing in newString with overly large
values.
--
Thanks,
Elias Griffin
Microsoft Applications Deployment
Computer Sciences Corporation
"Richard Mueller [MVP]" wrote:
I cannot figure out what you are trying to do.
First, your strContent array has 65 elements, from 0 to 64.
Next, if data is a string of x characters, LenB(data) will be twice x.
At first you use LenB, but in Sub AddString you use Len.
I would need to know what you are trying to accomplish. When I pass
various
strings to BufferContent I get one character and I can't make anything
overflow.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
"Elias" <Elias@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F55F20C7-811C-4FE7-9A46-D16C6F67386A@xxxxxxxxxxxxxxxx
Hey guys,
Are there any free tools for auditing VB/VBscript code for buffer
overflows?
Microsoft has so many good tools out, I feel I may be missing it. Or a
good
open source .NET based buffer overflow analysis tool maybe?
If neither, maybe someone can tell me if the below is buffer
overflowing.
At
first glance I thought it was. Only a few lines.
Function BufferContent(data)
Dim strContent(64)
Dim i
ClearString strContent
For i = 1 To LenB(data)
AddString strContent,Chr(AscB(MidB(data,i,1)))
Next
BufferContent = fnReadString(strContent)
End Function
Sub ClearString(part)
Dim index
For index = 0 to 64
part(index)=""
Next
End Sub
Sub AddString(part,newString)
Dim tmp
Dim index
part(0) = part(0) & newString
If Len(part(0)) > 64 Then
index=0
tmp=""
Do
tmp=part(index) & tmp
part(index) = ""
index = index + 1
Loop until part(index) = ""
part(index) = tmp
End If
End Sub
Function fnReadString(part)
Dim tmp
Dim index
tmp = ""
For index = 0 to 64
If part(index) <> "" Then
tmp = part(index) & tmp
End If
Next
FnReadString = tmp
End Function
contentStr was declared as 64 element value and thus part() was as
well,
yet
part() is appended to during AddString Subroutine. Although the arrays
are
dynamically sized in VBscript, wouldn't this overflow part(0) if
newString
is
large enough or does the variant type declaration of arrays negate
that?
--
Thanks for any assistance,
Elias Griffin
Microsoft Applications Deployment
Computer Sciences Corporation
.
- References:
- VBscript Bufferoverflow, code - tools
- From: Elias
- Re: VBscript Bufferoverflow, code - tools
- From: Richard Mueller [MVP]
- Re: VBscript Bufferoverflow, code - tools
- From: Elias
- VBscript Bufferoverflow, code - tools
- Prev by Date: Re: Hello I am getting an registry reading scripting error
- Next by Date: Drop Downs
- Previous by thread: Re: VBscript Bufferoverflow, code - tools
- Next by thread: Re: VBscript Bufferoverflow, code - tools
- Index(es):
Relevant Pages
|
