Taken directly from:
http://xorl.wordpress.com/2011/02/01/irssi-create_addr_conn-null-pointer-dereference/
in case it gets edited...hilarious!
The above snippet was taken from src/core/chat-protocols.c file and of
course, if we manage to make g_return_val_if_fail() return NULL like
sha0 did in his Perl IRC bot, the subsequent call to
‘proto->create_server_connect()’ will result in a NULL pointer
dereference at the 0×20 offset.
Jesús Olmos who discovered this vulnerability suggests using a simple
check against NULL for ‘proto’ pointer before using it but he also
discusses an interesting approach for exploiting this vulnerability
which you can find here.
Using Nelson Elhage’s CVE-2010-4258
vulnerability (which by the way has
countless more uses) he could make a call like:
clone((int (*)(void *))kernel_access_ok_bypass, (void *)((unsigned
long)stack), CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD, NULL, NULL,
NULL, target);
To bypass the check on unpatched Linux systems. In addition, we must
also consider the numerous users that use irssi as their IRC client on
other operating systems such as BSD derivatives, Windows, Solaris etc.
It’s an interesting bug since if you’re able to map some code to the
0×20 offset a function pointer is used to call that address immediately.