Full Disclosure mailing list archives
Re: iDEFENSE Security Advisory 12.06.05: Ipswitch
From: "FistFucker" <FistFuXXer () gmx de>
Date: Fri, 16 Dec 2005 16:37:27 +0100
No, there was nothing useful on the stack. Just a few static strings and pointers to the code section of various DLLs, followed by thousands of zeros. I've tryed many possibilities for about 3 weeks and then I've gave it up. Now I want to know if it's really exploitable and how. -FistFucker (aka FistFuXXer) ----- Original Message ----- From: "H D Moore" <hdm () metasploit com> To: "FistFucker" <FistFuXXer () gmx de> Sent: Friday, December 16, 2005 4:09 PM Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch
Doh, oh well. If you send %p x 512, is there anything else in memory that you can control? An idea might be to send a long mail from: before using a rcpt to: with the format specifier. Doing something similar for a CGI app right now. -HD On Friday 16 December 2005 09:05, FistFucker wrote:I've already tryed this, but argument-skipping isn't supported by the called funtion. -FistFucker (aka FistFuXXer) ----- Original Message ----- From: "H D Moore" <fdlist () digitaloffense net> To: <full-disclosure () lists grok org uk> Sent: Friday, December 16, 2005 3:59 PM Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: IpswitchThis may not be a limitation if you can use the argument-skipping syntax in msvcrt (ie. %4000$x). -HD On Friday 16 December 2005 08:32, FistFucker wrote:I don't think it's > exploitable because the user controlled string is many thousand bytes away from the stack pointer and you can only send 512 bytes to the SMTP daemon.[snip]If someone was able to exploit this, I would be interested in exploit code or an explanation to learn from him._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: iDEFENSE Security Advisory 12.06.05: Ipswitch Chris Rogers (Dec 16)
- Re: iDEFENSE Security Advisory 12.06.05: Ipswitch FistFucker (Dec 16)
- Re: iDEFENSE Security Advisory 12.06.05: Ipswitch H D Moore (Dec 16)
- Re: iDEFENSE Security Advisory 12.06.05: Ipswitch FistFucker (Dec 16)
- Message not available
- Message not available
- Re: iDEFENSE Security Advisory 12.06.05: Ipswitch FistFucker (Dec 16)
- Re: iDEFENSE Security Advisory 12.06.05: Ipswitch H D Moore (Dec 16)
- Re: iDEFENSE Security Advisory 12.06.05: Ipswitch FistFucker (Dec 16)