Re: Possibly exploitable overflow in Alibaba 2.0

[dullien () GMX DE (Thomas Dullien)]

On Fri, 29 Oct 1999 18:38:05 MET, W.H.J.Pinckaers wrote:

> Could you point us to the web site that is distributing this software?
> Along with a guess of the number of users of this webserver?

Well, I have no clear estimates of the number of users of this server,
but a few political parties in Germany use it for some pages ;)

Aside from that, the authors homepage is www.csm-usa.com

> And on what OS//CPU does the webserver run? Linux ? Wintendo?

Wintendo 9x/NT

> I have such shellcode on the shelf, since this is needed by quite a
> lot of other webservers to.  (Shellcode for Linux/X86) if you want it
> drop me a mail.

Well, on NT/9x we run into the problem that there is no way around
guessing the address of the stack. Theoretically, it could be possible
to overwrite the dword after the return address, too, and then ret
to a CALL ESP instruction somewhere in the DLL-Space in NT, but
since all DLLs are mapped somewhere in the 0x77xxxxxx-range, we can't
due to the strupr problem.

It might be a good idea to look at all products of CSM with a certain
suspicion as I have a 'pricking of my thumb' that they might have
similar holes. Evaluate their security before using them :)

Thomas Dullien
dullien () gmx de
Win32 Security Consultant ;-> Hire me !