Buffer Overflow |
Overview Buffer Overflow may occcur when input is too large to fit inside the space allocated. Variables and arguments are limited in the amount of information they can hold before the amount of data (or the cardinality) exceeds to capacity of the variable. An unsigned byte can hold the number 255, but the number 256 will either cause an error, be cast to a different representation, or "roll" the variable back to zero. Discovery Methodology Inject very long string, integers larger than 32- and 64-bits, and other overflow input into available parameters. Exploitation Narrow down the exact length of input that overflows a vulnerable input parameter. Example Page Repeater is vulnerable. Note: the "Times to Repeat" has some protection as it is cast to an integer. Even if you overflow "Times to Repeat" by submitting a value larger than "int", the system should cast the number down to the biggest integer that can be represented on the system. Try to overflow the variable which is created to hold the expanded "String to Repeat". The data type of this buffer is PHP:String. PHP:String can hold a lot of data but the size is not infinite. |