Fork me on GitHub
Its the Code garbage collector. Mind dumps of daily coding antics from a frustrated silly little man. VBS, PHP, TCL, TK, PERL, C++, JAVA....what now? Ruby?
No Wait.. It should be just RUBY!

20061119

Google Codesearch - Finding Vulns

Google Codesearch is a newer item in the google lab (Early October ). I like the functionality, but making all the code searchable will always find the bodies in the closet that not everyone wants to see.. The Google hacking database GHDB has been talking about it for awhile along with other noteable persons in the field.. just wondering if ISC/DSHIELD was interested in the topic for discussion..

The Search:
http://www.google.com/codesearch

Simple Buffer Overflows
Link: wikipedia Buffer_overflow

Search
lang:"c" strcpy buffer argv

or simply

buffer "should be big enough"

Using Google Code Search:

Found Examples of InSecure (Purposeful) Coding..Google Code Search

/* vuln.c */

#include

int main(int argc, char * argv [])
{
char buffer [500];


if (argc > 1)
strcpy(buffer, argv[1]);
return (0);
}

Finding Examples of correct implentation..Google Code Search

*hostdir = malloc(sizeof(char[strlen(argv[1])+1]));

/* separate hostname and dirname from 'hostname:dirname' format */

strcpy(hostdir, argv[1]);


Possible Example of Real Vulnerability Finding... in Nachos Example Operating System

#ifdef DEBUG
int main (int argc, char *
argv[]) {
char buffer[80];
printf ("string = %s.\n", strcpy (buffer, argv
[1]));
}
#endif


Link:Google Code Search

Site:Nachos URL
Posted by shadowbq at 01:02
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)