Archive for March, 2007

A whole new world of amazon fun

Friday, March 9th, 2007

I like browsing through amazon’s website as much as the next guy, but pandzilla showed me a new way of appreciating amazon. Looking for the craziest reviews of items on amazon. Breathtaking !
some things you should see:
http://www.amazon.com/Underhill-Farms-Elk-Carcass/dp/B000IDOB5Y/ref=sr_1_23/104-0721154-5701564?ie=UTF8&s=gourmet-food&qid=1173397485&sr=1-23
http://www.amazon.com/Bobs-Red-Mill-Xanthan-Gum/dp/B0000CCZUO/ref=pd_bbs_2/002-2655636-8027208?ie=UTF8&s=gourmet-food&qid=1173207456&sr=8-2
http://www.amazon.com/gp/product/customer-reviews/B000002UB3/sr=8-3/qid=ARRAY(0×58fc7004)/ref=cm_rev_sort/002-3634337-6436051?customer-reviews.sort_by=%2BOverallRating&s=music&x=12&y=8
http://www.amazon.com/gp/product/customer-reviews/B000001FS3/sr=1-11/qid=ARRAY(0×574a1498)/ref=cm_rev_sort/002-3634337-6436051?customer-reviews.sort_by=%2BOverallRating&s=music&x=8&y=12

isn’t that hilarious ?

Tags:
Posted in Uncategorized | 1 Comment »

fishy FiSH

Thursday, March 8th, 2007

FiSH is a plugin for most popular irc clients that implements encryption. I looked at it a few years ago, and it was horrible. Stacksmashes _everywhere_. I briefly looked at it again yesterday, only to discover that all the bugs are still there ! somewhat shocking. I wonder how many people have been owned because of those bugs.
I looked at the xchat plugin code (but I believe most of the code is shared and only the entry point code is (obviously) different) and it basicly registers 4 functions that handle incomming data:

xchat_hook_server(ph, “PRIVMSG”, XCHAT_PRI_NORM, decrypt_incoming, 0);
xchat_hook_server(ph, “NOTICE”, XCHAT_PRI_NORM, notice_received, 0);
xchat_hook_server(ph, “TOPIC”, XCHAT_PRI_NORM, decrypt_incoming, 0);
xchat_hook_server(ph, “NICK”, XCHAT_PRI_NORM, nick_changed, 0);
xchat_hook_server(ph, “332″, XCHAT_PRI_NORM, decrypt_topic_332, 0);

so let’s look at all of those.

int decrypt_incoming(char *word[], char *word_eol[], void *userdata)
{
unsigned char *msg_ptr, contactName[100]=”", from_nick[50], msg_event[100]=”",

psyNetwork[12];

if(word[1][0] == ‘:’) ExtractRnick(from_nick, word[1]);

}

here’s what ExtractRnick() does:

int ExtractRnick(char *Rnick, char *incoming_msg)
{
int k=0;

if(*incoming_msg == ‘:’) incoming_msg++;

while(*incoming_msg!=’!’ && *incoming_msg!=0) {
Rnick[k]=*incoming_msg;
incoming_msg++;
k++;
}
Rnick[k]=0;

if (*Rnick < ‘0′) return FALSE;
else return TRUE;
}

you can clearly see the stacksmash here (word[1] comes from the network !). the other 3 functions are just as horrible:

int notice_received(char *word[], char *word_eol[], void *userdata)
{
unsigned int i;
unsigned char hisPubKey[300], contactName[25]=”", from_nick[25]=”";

if(ExtractRnick(from_nick, word[1])==0) return XCHAT_EAT_NONE;

}

int nick_changed(char *word[], char *word_eol[], void *userdata)
{
unsigned char contactName[100]=”", theKey[500]=”", ini_nicktracker[10];

if( *ini_nicktracker==’0′ || *ini_nicktracker==’N’ || *ini_nicktracker==’n’ ||
(ExtractRnick(contactName, word[1])==0) ||
(stricmp(contactName, word[3]+1)==0))
return XCHAT_EAT_NONE;

}

int decrypt_topic_332(char *word[], char *word_eol[], void *userdata)
{
unsigned char contactName[100]=”";

strcpy(contactName, word[4]);

}

yes, that last one is an actual strcpy() stacksmash. The 90’s called, they want their bugs back :-p

Tags:
Posted in Uncategorized | 8 Comments »

awesome quote

Saturday, March 3rd, 2007

“trying to unfuck [some issue] while it’s still unfuckable” — Dan Kaminsky

Tags:
Posted in Uncategorized | No Comments »