Vulnerability Development mailing list archives
buffer overflows encapsultation
From: gregory duchemin <c3rb3r () HOTMAIL COM>
Date: Mon, 22 Jan 2001 01:14:38 -0000
hi, has someone here already seen or heard something about Eggshells encapsulating buffer overflow. I mean an eggshell to exploit, for instance, a low priviledge user like nobody through a usual vulnerable cgi but this eggshell would be crafted to locally exploit another buffer overflow in the way this time to get root. It may be possible (not necessarly easily) with an execve system call and a long enough buffer to sploit. If root can be gained in a simple manner (like a setuid floodable parameter), our second (encapsulated) buffer address would be passed as argument of execve and thus should be push on stack before interruption call. I guess that finding the good offsets values will be a bit more complicated but shouldn't be impossible at all ?! did u see something like that around here ? do u see any reason why this shouldn't be possible ? It seems to be an interresting case to study. Most of remote buffer exploits would be turned in remote root compromission in two pass. cheers, Gregory Duchemin _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Current thread:
- buffer overflows encapsultation gregory duchemin (Jan 22)
- Re: buffer overflows encapsultation Robert van der Meulen (Jan 23)