Full Disclosure mailing list archives
Pound <=1.5 Remote Exploit (Format string bug)
From: "Eye on Security India" <eos-india () linuxmail org>
Date: Sat, 08 May 2004 08:19:28 +0800
/* Pound <=1.5 remote format string exploit (public version) by Nilanjan De - n2n () front ru Eye on Security Research Group, India, http://www.eos-india.net Vendor URL: http://www.apsis.ch/pound/ Local exploit is only useful is pound is setuid The shellcode used doesn't break chroot if you need to break chroot, use a different shellcode To find jmpslot: For remote: objdump -R /usr/sbin/pound|grep pthread_exit|cut -d ' ' -f 1 for local: objdump -R /usr/sbin/pound|grep exit|grep -v pthread|cut -d ' ' -f 1 Note: In case of remote exploit, since the exploit occurs in one of the threads, you may need to modify this exploit to brute-force the RET address to make the exploit work. Since pound runs in daemon mode, brute forcing it is no problem. */ -- ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze
Attachment:
305-pound.c
Description:
Current thread:
- Pound <=1.5 Remote Exploit (Format string bug) Eye on Security India (May 07)