Vulnerability Development mailing list archives

Blind Remote Buffer Overflow

From: lamont () ICOPYRIGHT COM (Granquist, Lamont)
Date: Thu, 27 Apr 2000 16:46:59 -0700


What does a theoretically feasible attack of this nature look like?  Lets
say that you're up against a webserver that runs some CGI C.  How do you
find and exploit a buffer overflow without having access to the code?

It seems that you first need to find a buffer overflow.  What is the
symptom here because when you dump core on one httpd proc then you'll just
spawn another one.  The service doesn't go down, so how do you know you
just caused the proc to core?

Then once you've found a buffer overflow, I guess you need to start
blindly guessing buffer sizes and locations until you get a winning
combination -- here the fact that webservers respawn would decidedly work
to your advantage.  You can also probably bet that the buffer size is damn
close to whatever size causes the proc to core, if you can determine that.

Can anyone flesh this out further, or knock big holes in this process, or
think of a radically different approach which is better?  Then, how can
you make it even harder to exploit these kinds of holes blindly?

Current thread:

Re: koules again, (continued)
- - - Re: koules again Ron DuFresne (Apr 21)
    - Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 25)
    - Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 26)
    - limited functionality accounts (was: Re: History Files) Alex Andrews (Apr 25)
    - Re: limited functionality accounts (was: Re: History Files) Rob Kouwenberg (Apr 28)
    - Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 26)
    - long file names in explorer.exe kj (Apr 26)
    - Re: long file names in explorer.exe Rory Savage (Apr 28)
    - Re: long file names in explorer.exe kj (Apr 28)
    - Lotus notes + windows98 overflow Alistair Orchard (Apr 27)
    - Blind Remote Buffer Overflow Granquist, Lamont (Apr 27)
    - Eudora Pro Buffer Overflow testing in progress - help needed. Zoa_Chien (Apr 28)
    - Re: Eudora Pro Buffer Overflow testing in progress - help needed. Blue Boar (Apr 28)
    - Re: Blind Remote Buffer Overflow Marc (Apr 28)
    - Re: Blind Remote Buffer Overflow Ralph The Wonder Llama (Apr 28)
    - Re: Blind Remote Buffer Overflow Matthew R. Potter (Apr 28)
    - Re: Blind Remote Buffer Overflow Sebastian (Apr 29)
    - Re: Blind Remote Buffer Overflow Mark L. Jackson (Apr 29)
    - Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
    - Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
    - Replacing Kernel Functions via a LKM Granquist, Lamont (Apr 27)

(Thread continues...)