1. Null pointer dereference :FF
0day ? DOS ?
Music ?
http://www.youtube.com/watch?v=pfOvDJNt2uA
Yeaaah :D

2. ENTER
DEMO :FFFFFF
int* x; // Allocate the pointers x and y
int* y; // (but not the pointees)
x = malloc(sizeof(int)); // Allocate an int
pointee,
// and set x to point to it
*x = 42; // Dereference x to store 42 in its
pointer
*y = 13; // CRASH -- y does not have a
pointer yet

3. int *ptr, a = 12
ptr = &a; /* ptr buffer a variable shows
ptr = NULL; /* ptr set NULL */
*ptr = 8 /* crash! NULL pointer!!! value can not be
determined*/
Sizede bi eğrilik görsendimi amk ?

4. NULL Pointer Dereference
vulnerablity :S
size_t size = strlen(input_str)+1;
str = (char *)malloc(size);
input_str is copied into dynamically allocated memory referenced
by str
memcpy(str, input_str, size);
If malloc() fails, it returns a null pointer that is assigned to str
When str is dereferenced in memcpy()

5. /home/te~wnyou.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(char *argc,char *argv[])
{
char *str;
char *input_string=argv[1];
size_t size = strlen(input_string)+1;
str = (char *) malloc(size);
memcpy(str, input_string,size);
printf("%sn",str);
free(str);
...
return(0);
}
Insecure Codes ?

6. Reversing ?
EAX: 0x0
EBX: 0xb7fbe000 --> 0x1a5d7c
ECX: 0x0
EDX: 0xbffff204 --> 0xb7fbe000 --> 0x1a5d7c
ESi: 0x0
EDi: 0x0 <=======
EBP: 0xbffff1d8 --> 0x0
ESP: 0xbffff1a4 --> 0x0
EiP: 0xb7e9c756 (movdqu xmm1,XMMWORD PTR [edi])
===================
======> 0xb7e9c756: movdqu xmm1,XMMWORD PTR [edi]
CRASH !!!!!!!!!!!!!!!!!!!
Reversing ?Reversing ?Reversing ?

7. Referecens
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=null+pointer+d
=
https://www.securecoding.cert.org/confluence/display/seccode/EXP34-C.+Do+not+dereference+n
https://www.securecoding.cert.org/confluence/display/seccode/MEM32-C.+Detect+and+handle+m
http://xinyiding.net/index.php?interface=view&id=17
http://lwn.net/Articles/342330/
http://psomas.wordpress.com/tag/null-pointer-dereference/

8. End
@st1ll_di3
#eminghuliev