Vulnerability Development mailing list archives
Re: Blind Remote Buffer Overflow
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Mon, 1 May 2000 17:59:05 -0700
Bluefish wrote:
Uhm... To begin with, in most situations it seems unrecommended to assume the attacker is blind. But if he really is?
I believe there's probably some subtle ways to find out the processor architecture. If one can manage to grab an executable from it (pretty easy w/FTP) or get it to produce some error, or perhaps A or HINFO DNS records might give clues. heck, some site announce the hardware they run on. I just took a quick peek at the NMAP fingerprint DB. There are separate distinct entries for various processor architectures on some OSes. For example, there's a Solaris 2.6-2.7 as well as a Solaris x86 2.6-2.7 entry. They're close, but not exactly the same. Could be a fluke on the part of whoever submitted one of those entries, or it could be a regular difference.
Some people have mentioned some ways to try to find a vulnerability remotely. Now, lets say you using some way have determined you can rewrite EIP, PC (or whatever it's called on your architecture). What now to do to detect operating system and architecture?
In many cases, you will have more than one shot at trying your buffer overflow. One possibility is just trying them all. If the service doesn't auto-restart, then try each arch a week apart, so the admin doesn't get suspicious.
I believe a 'generic buffert overflower' could be a part of answer. Let a tool be given what you know (or guess) about the overflow. Let it generate a number of variants (as an example: Linux/i386, Linux/sparc, Windows/i386) which all of them does something like "echo 3 | mail badguy () test com". Depending upon what mail you actually get back, you know that the architecture is at least quite compatible with the envioronents that returns an answer.
Ahh.. now this could be really cool, if only as an exercise. Is anyone
aware of a set of bytes that will execute on two or more processor
architectures, and branch accordingly without bombing? We'd also need
something that could operate as a NOP for multiple architectures, too.
Who knows their x86 and Sparc opcodes really well?
BB
Current thread:
- Re: Blind Remote Buffer Overflow Ex Machina (Apr 30)
- <Possible follow-ups>
- Re: Blind Remote Buffer Overflow Matthew R. Potter (Apr 30)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Re: Blind Remote Buffer Overflow Ralph The Wonder Llama (May 01)
- Re: Blind Remote Buffer Overflow Granquist, Lamont (May 01)
- Re: Blind Remote Buffer Overflow Reinier Heeres (May 02)
- Re: Blind Remote Buffer Overflow Matthew R. Potter (May 02)
- Re: Blind Remote Buffer Overflow Jani Ollikainen (May 02)
- Re: Blind Remote Buffer Overflow Granquist, Lamont (May 01)
- Re: Blind Remote Buffer Overflow Bluefish (May 01)
- Re: Blind Remote Buffer Overflow Marc (May 01)
- Re: Blind Remote Buffer Overflow Blue Boar (May 01)
- Re: Blind Remote Buffer Overflow matej (May 01)
- Re: Blind Remote Buffer Overflow Pavol Luptak (May 02)
- Ascii-x86 was: Blind Remote Buffer Overflow Bluefish (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Robert Collins (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Bill Weiss (May 03)
- firewall audit LEOW Chiun-Yi Jonathan (May 03)
- Re: firewall audit Ron DuFresne (May 03)
- Re: firewall audit antirez (May 04)
- Re: firewall audit Bennett Todd (May 04)
- Re: firewall audit Ron DuFresne (May 04)