Dailydave mailing list archives
Re: No sellout. was: RE: Lynn / Cisco shellcode
From: "I)ruid" <druid () caughq org>
Date: Tue, 02 Aug 2005 16:26:13 -0500
On Tue, 2005-08-02 at 18:14 -0300, Holden Williamson wrote:
> I think the major issues that Mike brought to light that mostexperienced people walked away from the presentation with (me included) were that there are ways to fool IOS's check_heaps function which preemptively reboots the device if something is amiss (usually thwarting most exploit attempts) and that theDidn't FX@Phenoelit already cover this a year ago or more? If I remember correctly he described the whole process as "basic exploitation with a few tricky things".
Yes, to an extent, but he didn't go into what the tricky things were, or how to handle them, and at the time (presumably) no one outside of Cisco knew about the virtualized process features of upcoming IOS versions. Mike referenced FX's research multiple times during the presentation and even had an entire slide dedicated to FX's research, making it well known that his research was an extension of the work already done by FX.
And if your exploits are primitive enough that they can't work around not knowing exactly hard-coded where in memory they're aiming at with their write4 then .... OH I get it. People are happy because suddenly those with quasi-zero technical exploitation ability can write exploits for Cisco hardware. Makes sense now.
Exactly. I think the example Mike used during the presentation was that with the upcoming versions of IOS you could potentially write a small, effective worm that will work across all IOS versions with the new features, whereas if you were to try to write a worm today, it would have to include the addresses for every version of IOS you wanted the worm to be able to attack, which since they currently change with every build of the software, would make one hell of a big worm. Essentially, his point was that you could probably detect and squelch the worm's attack before it was even able to transfer itself to the system to be executed after exploiting the bug used to get in. -- I)ruid, CĀ²ISSP druid () caughq org http://druid.caughq.org
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- No sellout. was: RE: Lynn / Cisco shellcode surreal (Jul 28)
- Re: No sellout. was: RE: Lynn / Cisco shellcode security curmudgeon (Jul 29)
- Re: No sellout. was: RE: Lynn / Cisco shellcode Holden Williamson (Jul 29)
- Re: No sellout. was: RE: Lynn / Cisco shellcode byte_jump (Jul 29)
- Re: No sellout. was: RE: Lynn / Cisco shellcode Holden Williamson (Aug 01)
- Re: No sellout. was: RE: Lynn / Cisco shellcode byte_jump (Aug 01)
- Re: No sellout. was: RE: Lynn / Cisco shellcode Holden Williamson (Aug 01)
- Re: No sellout. was: RE: Lynn / Cisco shellcode I)ruid (Aug 02)
- Re: No sellout. was: RE: Lynn / Cisco shellcode Holden Williamson (Aug 02)
- Re: No sellout. was: RE: Lynn / Cisco shellcode I)ruid (Aug 02)
- Re: No sellout. was: RE: Lynn / Cisco shellcode byte_jump (Jul 29)
- <Possible follow-ups>
- RE: No sellout. was: RE: Lynn / Cisco shellcode Dennis Cox (Jul 29)
- RE: No sellout. was: RE: Lynn / Cisco shellcode Paul Melson (Aug 01)
- Re: No sellout. was: RE: Lynn / Cisco shellcode Holden Williamson (Aug 01)
- Re: No sellout. was: RE: Lynn / Cisco shellcode TAREK (Aug 02)
- Re: No sellout. was: RE: Lynn / Cisco shellcode M. Shirk (Aug 02)
- RE: No sellout. was: RE: Lynn / Cisco shellcode Todd Towles (Aug 02)