News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

What stack exploit ?

Started by hutch--, May 04, 2005, 04:22:07 AM

Previous topic - Next topic

Jibz

I think it would be a bad idea to stuff another one with some static limit into the library. The user doesn't always know a fixed limit either, e.g. build tools must handle any number of obj files you throw at them.

I would prefer some design that will allow any length and number of command line arguments :U.

hutch--

Jibz,

The reference material says there is an absolute limit of 32k characters so there cannot be such a thing as an unlimited command line length.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

QvasiModo

Quote from: hutch-- on May 11, 2005, 01:47:00 PM
Jibz,

The reference material says there is an absolute limit of 32k characters so there cannot be such a thing as an unlimited command line length.
There could be in the future, though. Or the limit could be expanded again. It's probably better to be on the safe side and let the user decide the limit, IMHO.

QvasiModo

My apologies for taking so long to post, had some problems with my computer back home.

Here's the code, it's FASM syntax, should be easy to port and adapt to the winapi calling convention. I'd also add some code to get the commandline string, make a copy (allocated with HeapAlloc), and resize the memory object at the end of the routine.

;-----------------------------------------------------------------------------
; Command line parser by QvasiModo.
; Turns the string pointed to by EBX into an ASCIIZ array in place.
; Recognizes parameters enclosed in double quotes as a single token.
; Destroys EBX, ESI y EDI.
; NOTE: The GetCommandLine API returns a string that should be
; considered READ-ONLY. Make a copy of it before calling this proc.
tokenizar:
        mov     edi, ebx

.token_espacios:                        ; Skip spaces between tokens.
        movzx   eax, byte [ebx]
        add     ebx, 1
        test    eax, eax
        jz      .token_fin
        cmp     eax, ' '
        je      .token_espacios
        cmp     eax, '"'
        je      .token_comillas

.token_palabra:                         ; Search for the end of a word.
        lea     esi, [ebx - 1]
@@:     movzx   eax, byte [ebx]
        add     ebx, 1
        test    eax, eax
        jz      .token_copiar
        cmp     eax, ' '
        jne     @b
        jmp     .token_copiar

.token_comillas:                        ; Search for the end of a quoted string.
        mov     esi, ebx                ; Special case: "" is ignored.
        movzx   eax, byte [ebx]
        add     ebx, 1
        cmp     eax, '"'
        je      .token_espacios
        test    eax, eax
        jz      .token_fin
@@:     movzx   eax, byte [ebx]
        add     ebx, 1
        test    eax, eax
        jz      .token_copiar
        cmp     eax, '"'
        jne     @b

.token_copiar:                          ; Copy a token in [EDI].
        mov     byte [ebx - 1], 0       ; [ESI] -> beginning, [EBX - 1] -> end.
        xor     eax, eax
@@:     mov     al, byte [esi]
        mov     byte [edi], al
        add     esi, 1
        add     edi, 1
        cmp     al, 0
        jne     @b
        jmp     .token_espacios

.token_fin:                             ; We're done!
        mov     byte [edi], 0
        ret

Hope it's of any use! :)

Jibz

Nice .. is there some way to escape a double quote to insert it into an argument?

I mean something like: "this arg with spaces contains \" characters"

QvasiModo

No, I wrote it originally to receive filenames only. But it's a good idea. :)

Mark Jones

Does anybody know, in the pointer that GetCommandLine returns, is the file executed ALWAYS surrounded in quotes, i.e.


00141EE0  22 43 3A 5C 44 57 47 2E 65 78 65 22 20 22 63 3A  "C:\abc.exe" "c:
00141EF0  5C 70 72 6F 67 72 61 6D 20 66 69 6C 65 73 5C 66  \program files\f
00141F00  72 65 6C 6C 2E 65 78 65 22 20 2F 61 72 67 3A 77  rell.exe" /arg:w
00141F10  68 6F 61 00 AB AB AB AB AB AB AB AB EE FE EE FE  hoa.««««««««îþîþ


Here "C:\abc.exe" is the file being debugged and its name is quoted, even though it doesn't have to be. Can I expect all versions of windows to behave the same way? Because it would be convenient to just scan for the 2nd instance of the quotation character to determine where the real arguments begin. Thanks!
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

hutch--

Mark,

It appears to vary from OS version  to OS version and about the only safe way I know of handling this variation is to deal with either quoted blocks or normal blocks of text at the same time.


"drv:\path\my app with spaces.exe" arg1 "quoted text" arg3 "more quoted" arg5

becomes

"drv:\path\my app with spaces.exe"
arg1
"quoted text"
arg3
"more quoted"
arg5
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

Mark Jones

Interestingly, when ran from a console prompt instead of start-->run, the returned argument filename is not quoted and is lacking an extension, i.e.,


00141EE0  44 57 47 20 22 63 3A 5C 70 72 6F 67 72 61 6D 20  abc "c:\program
00141EF0  66 69 6C 65 73 5C 66 72 65 6C 6C 2E 65 78 65 22  files\frell.exe"
00141F00  20 2F 61 72 67 3A 77 68 6F 61 00 AB AB AB AB AB  /arg:whoa.««««««


I'm assuming that either one of these two behaviors can be expected on most versions of windows... because parsing this is a requirement of DWG, hopefully I've implemented a tiny and lightweight method in the DWG project:
http://www.masm32.com/board/index.php?topic=5317.0
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

zooba

It's easy to deal with. While parsing, every time you encounter a quote, toggle a bit/byte/flag somewhere. If the flag is set, spaces are part of the argument; if the flag is clear, spaces delimit the arguments. Then you can check for quotes surrounding a parameter and remove them if desired.

Cheers,

Zooba :U