Correctly i want to know how not Null-terminated to be implemented in a code , Null characters, causes most buffer overflow vulnerabilities to not be triggered correctly, because the function stops copying when a Null byte is encountered. , is that right ? i don't mean by a code the source i mean the idea , Also how/what is to bind a shell to a high port ?
On 11/23/06, peternilsson42 <[EMAIL PROTECTED]> wrote:
> On Wed, 22 Nov 2006 19:12:43 +0200 > "Eng. Mina Ramses" <[EMAIL PROTECTED]> wrote: > > > Most string functions expect to be terminated by Null bytes. The term null byte is better. Null looks too much like a hybrid of null and NULL. > > When a code contains a Null byte, it is interpreted as a > > string terminator, resulting in that program accepting the > > code in front of the Null byte and discarding the rest. What do _you_ mean by 'code'. Some samples might make your intent clearer... > > There are many tricks to prevent code from containing Null > > bytes. i want to only ask , the following is Null terminated > > by mean of 0x00 is the NULL Byte ? > > > > i.e:" the following string: > > "Hello world !",0x00 [...or perhaps not! ;-] That isn't a string, it's a piece of syntax that makes very little sense on its own. ed <[EMAIL PROTECTED]> wrote: > > 'H', 'e', 'l', 'l','o','\0' > > is null terminated. > > \0 is escape for ascii-0 on most systems. \0 is escape for 0 on all conforming implementations, ASCII or otherwise [unless it's followed by say another non-zero octal digit...] > but it's often better to use the escape sequence than address > it incase for some reason \0 is not 0x00 on some systems... It would have to be a really wierd system (and seriously broken.) > i can't think why, but i always use \0. For character constants, the octal and hex escapes are as follows... octal-escape-sequence: \ octal-digit \ octal-digit octal-digit \ octal-digit octal-digit octal-digit hexadecimal-escape-sequence: \x hexadecimal-digit hexadecimal-escape-sequence hexadecimal-digit The value is (more or less) the intuitive value.[1] So... 0 == '\0' 0 == '\x0' [1] Strange things can happen if you specify a character code outside the non-negative range of plain char. > it's also possible to use it as 0. Strictly speaking, '\0' and 0 do have the same value and type in C. [They have different types in C++.] That's not to say you should start using '\0' as a null pointer constant. > > and as i know we have to use a string as the argument for > > a system call, that string must be Null-terminated. Yes. > > if we don't want it to be terminated , Why wouldn't you want it to be null terminated? > > also asking how this trick leads to vulnerability , or > > what about code injection in a program's memory via string > > functions such as read(),sprintf(), and strcpy(). Sounds like you're talking about buffer overflow issues. > there should be no problem with read, providing the memory > one reads into is allocated. read() reads n number of bytes. > what happens to those bytes is left to the programmer. > > sprintf writes the formatted string to memory, but you better > have enough memory there first. > > look into the functions that have an 'n' in their name... > strncpy, snprintf, strncat etc. Well strncpy is not necessarily a good example since it need not terminate the resultant character sequence with a null byte... char dst[3]; strncpy(dst, "Hello", sizeof dst); /* dst[0] = 'H'; dst[1] = 'e'; dst[2] = 'l'; */ -- Peter
-- |Eng. Mina r. Fahmy| ------------------------------------------------------------------------------------------ FOP Arabization Main Developer, Linux OS(Ninja) arabization Maintainer. GNU/Linux registered user #312544 * Debian 3.1 Sarge * PC Posix Computer society IEEE Org. Oracle 8i D.B.A Master by |Masters of Technology|OUniv Java Certified Developer Debian motorizes Life. Linux Network Consultant member ========================================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFDjwHQS45JQJZP7ZQRAmUDAJ9Q8cUGdii55uGM2uQJj7ICUqGTwACgm78g rYYpiMdrJW0XS+Xou15bREE= =m1Lp -----END PGP SIGNATURE----- ============= Key ID: 0x964F ED94 on --keyserver http://wwwkeys.eu.pgp.net Key fingerprint = 35DD 3279 EB3E A711 1205 466F 4B8E 4940 964F ED94 ==========================================================================================
