114 \end{frame}} |
114 \end{frame}} |
115 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
115 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
116 |
116 |
117 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
117 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
118 \begin{frame}[fragile] |
118 \begin{frame}[fragile] |
119 \frametitle{Buffer Overflows} |
119 \frametitle{D-Link Router, Buffer Overflows} |
120 |
120 |
121 \begin{verbatim} |
121 \begin{verbatim} |
122 As a proof-of-concept, the following URL allows |
122 As a proof-of-concept, the following URL allows |
123 attackers to control the return value saved on |
123 attackers to control the return value saved on |
124 the stack (the vulnerability is triggered when |
124 the stack (the vulnerability is triggered when |
125 executing "/usr/sbin/widget"): |
125 executing "/usr/sbin/widget"): |
126 |
126 |
127 curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB |
127 curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB |
128 |
128 |
129 The value of the "hash" HTTP GET parameter consists in |
129 The value of the "hash" HTTP GET parameter consists of |
130 292 occurrences of the 'A' character, followed by four |
130 292 occurrences of the 'A' character, followed by four |
131 occurrences of character 'B'. In our lab setup, characters |
131 occurrences of character 'B'. In our lab setup, characters |
132 'B' overwrite the saved program counter (%ra). |
132 'B' overwrite the saved program counter (%ra). |
133 |
133 |
134 Discovery date: 06/03/2013 |
134 Discovery date: 06/03/2013 |